Generate, upload, and store Bills of Materials directly from your CI/CD pipeline.
The AccuKnox xBOM Scan Action integrates into your GitHub workflow to:
- π Scan source code, container images, Go projects, or AI/ML models
- π¦ Generate CycloneDX 1.6 BOMs (SBOM, CBOM, AIBOM)
- βοΈ Upload results to AccuKnox SaaS
- πΎ Save the BOM as a downloadable GitHub Actions artefact
| Type | Tool | Source | Use Case |
|---|---|---|---|
sbom |
knoxctl pkgscan |
Filesystem or container image | Packages, libraries, dependencies |
cbom |
knoxctl cbom |
Go source or container image | Crypto algorithms, certs, protocols |
aibom |
knoxctl aibom |
HuggingFace model or AWS Bedrock | AI/ML model inventory |
Add the following under Settings β Secrets and variables β Actions.
| Secret | Description |
|---|---|
ACCUKNOX_TOKEN |
AccuKnox API token. How to create |
ACCUKNOX_ENDPOINT |
AccuKnox endpoint, e.g. cspm.accuknox.com |
ACCUKNOX_LABEL |
AccuKnox label. How to create |
| Secret | Description |
|---|---|
AWS_ACCESS_KEY_ID |
AWS access key with bedrock:ListFoundationModels permission |
AWS_SECRET_ACCESS_KEY |
Matching AWS secret access key |
To associate uploaded BOMs with the correct entity, create a Project in the AccuKnox Console before running the workflow.
- Log in to the AccuKnox Dashboard
- Navigate to SBOM β Projects
- Click New Project
- Fill in the required details:
- Name (required): used as
project-namein the workflow - Description: short description of the project
- Classifier (required): must match the
project-classifierinput. - Tags (optional): any tags you want to attach
- Name (required): used as
- Click Create
π The Project Name and Project Classifier must exactly match the value passed to
project-nameandproject-classifierin the workflow YAML.
Scans the repository source tree for packages and dependencies.
- uses: accuknox/xbom-action@2.0
with:
bom-type: sbom
path: "."
token: ${{ secrets.ACCUKNOX_TOKEN }}
endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }}
label: ${{ secrets.ACCUKNOX_LABEL }}
project-name: my-project
project-classifier: application| Name | Description | Possible Options | Required |
|---|---|---|---|
bom-type |
Type of BOM to generate | sbom |
Yes |
path |
Directory to scan | Any valid directory path | No (default: .) |
token |
AccuKnox API token | Token from AccuKnox console | Yes |
endpoint |
AccuKnox SaaS hostname | Hostname only, no https:// |
Yes |
label |
AccuKnox label | Label from AccuKnox console | Yes |
project-name |
AccuKnox project name | Any string | Yes |
project-classifier |
CycloneDX classifier | application, firmware, library |
Yes |
Scans a built container image for installed packages. Build the image in the same job; the action only needs the tag.
- name: Build image
id: build
run: |
IMAGE="myapp:${{ github.sha }}"
docker build -t "$IMAGE" .
echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
- uses: accuknox/xbom-action@2.0
with:
bom-type: sbom
image: ${{ steps.build.outputs.image }}
token: ${{ secrets.ACCUKNOX_TOKEN }}
endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }}
label: ${{ secrets.ACCUKNOX_LABEL }}
project-name: my-project
project-classifier: container| Name | Description | Possible Options | Required |
|---|---|---|---|
bom-type |
Type of BOM to generate | sbom |
Yes |
image |
Container image reference. Build with any tool (docker, podman, buildah, ko). Build step must run in the same job. | Image tag, e.g. myapp:abc1234 |
Yes |
token |
AccuKnox API token | Token from AccuKnox console | Yes |
endpoint |
AccuKnox SaaS hostname | Hostname only, no https:// |
Yes |
label |
AccuKnox label | Label from AccuKnox console | Yes |
project-name |
AccuKnox project name | Any string | Yes |
project-classifier |
CycloneDX classifier | container |
Yes |
Scans Go source for cryptographic algorithms, protocols, and certificates.
- uses: accuknox/xbom-action@2.0
with:
bom-type: cbom
path: "."
token: ${{ secrets.ACCUKNOX_TOKEN }}
endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }}
label: ${{ secrets.ACCUKNOX_LABEL }}
project-name: my-project
project-classifier: application| Name | Description | Possible Options | Required |
|---|---|---|---|
bom-type |
Type of BOM to generate | cbom |
Yes |
path |
Directory containing Go source | Any valid directory path | No (default: .) |
token |
AccuKnox API token | Token from AccuKnox console | Yes |
endpoint |
AccuKnox SaaS hostname | Hostname only, no https:// |
Yes |
label |
AccuKnox label | Label from AccuKnox console | Yes |
project-name |
AccuKnox project name | Any string | Yes |
project-classifier |
CycloneDX classifier | application, library |
Yes |
Scans a container image for cryptographic algorithms, protocols, and certificates.
β οΈ The build step and scan action must be in the same job to share the runner. The action only needs the final image reference. Build with any tool: docker, podman, buildah, ko, etc.
- name: Build image
id: build
run: |
IMAGE="myapp:${{ github.sha }}"
docker build -t "$IMAGE" .
echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
- uses: accuknox/xbom-action@2.0
with:
bom-type: cbom
image: ${{ steps.build.outputs.image }}
token: ${{ secrets.ACCUKNOX_TOKEN }}
endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }}
label: ${{ secrets.ACCUKNOX_LABEL }}
project-name: my-project
project-classifier: container| Name | Description | Possible Options | Required |
|---|---|---|---|
bom-type |
Type of BOM to generate | cbom |
Yes |
image |
Container image reference. Build step must run in the same job. | Image tag, e.g. myapp:abc1234 |
Yes |
token |
AccuKnox API token | Token from AccuKnox console | Yes |
endpoint |
AccuKnox SaaS hostname | Hostname only, no https:// |
Yes |
label |
AccuKnox label | Label from AccuKnox console | Yes |
project-name |
AccuKnox project name | Any string | Yes |
project-classifier |
CycloneDX classifier | container |
Yes |
Inventories an AI/ML model by fetching metadata from the HuggingFace Hub API.
- uses: accuknox/xbom-action@2.0
with:
bom-type: aibom
aibom-source: huggingface
aibom-model: google-bert/bert-base-uncased
token: ${{ secrets.ACCUKNOX_TOKEN }}
endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }}
label: ${{ secrets.ACCUKNOX_LABEL }}
project-name: my-project
project-classifier: machine-learning-model| Name | Description | Possible Options | Required |
|---|---|---|---|
bom-type |
Type of BOM to generate | aibom |
Yes |
aibom-source |
AIBOM data source | huggingface |
No (default: huggingface) |
aibom-model |
HuggingFace model ID | e.g. google-bert/bert-base-uncased, meta-llama/Llama-2-7b |
Yes |
token |
AccuKnox API token | Token from AccuKnox console | Yes |
endpoint |
AccuKnox SaaS hostname | Hostname only, no https:// |
Yes |
label |
AccuKnox label | Label from AccuKnox console | Yes |
project-name |
AccuKnox project name | Any string | Yes |
project-classifier |
CycloneDX classifier | machine-learning-model |
Yes |
Inventories all foundation models accessible in your AWS Bedrock account for the given region. Requires AWS credentials with
bedrock:ListFoundationModelspermission.
- uses: accuknox/xbom-action@2.0
with:
bom-type: aibom
aibom-source: bedrock
aws-region: us-east-1
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
token: ${{ secrets.ACCUKNOX_TOKEN }}
endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }}
label: ${{ secrets.ACCUKNOX_LABEL }}
project-name: my-project
project-classifier: application| Name | Description | Possible Options | Required |
|---|---|---|---|
bom-type |
Type of BOM to generate | aibom |
Yes |
aibom-source |
AIBOM data source | bedrock |
Yes |
aws-region |
AWS region for Bedrock scan | AWS region code, e.g. us-east-1, us-west-2, eu-central-1 |
Yes |
aws-access-key-id |
AWS access key ID with bedrock:ListFoundationModels permission |
AWS access key string | Yes |
aws-secret-access-key |
AWS secret access key | AWS secret key string | Yes |
token |
AccuKnox API token | Token from AccuKnox console | Yes |
endpoint |
AccuKnox SaaS hostname | Hostname only, no https:// |
Yes |
label |
AccuKnox label | Label from AccuKnox console | Yes |
project-name |
AccuKnox project name | Any string | Yes |
project-classifier |
CycloneDX classifier | machine-learning-model |
Yes |
name: AccuKnox xBOM Scan
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
jobs:
xbom-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: accuknox/xbom-action@2.0
with:
bom-type: sbom
path: "."
token: ${{ secrets.ACCUKNOX_TOKEN }}
endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }}
label: ${{ secrets.ACCUKNOX_LABEL }}
project-name: my-project
project-classifier: applicationAfter the workflow runs, the generated BOM is saved as a GitHub Actions artefact:
- Go to your repository on GitHub
- Click Actions
- Select the workflow run
- Scroll to the Artifacts section at the bottom
- Click to download the BOM file
To attach the BOM as a GitHub Release asset, trigger the workflow on release: published and use softprops/action-gh-release to attach the generated BOM.
β οΈ The job requires explicit permissions and must be triggered by a release event.
name: AccuKnox xBOM Scan
on:
release:
types: [published]
jobs:
xbom-publish:
runs-on: ubuntu-latest
permissions:
actions: read
contents: write
steps:
- name: Checkout Repository
uses: actions/checkout@v6
- name: Run AccuKnox xBOM Scan
uses: accuknox/xbom-action@2.0
with:
bom-type: sbom
path: "."
token: ${{ secrets.ACCUKNOX_TOKEN }}
endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }}
label: ${{ secrets.ACCUKNOX_LABEL }}
project-name: my-project
project-classifier: application
- name: Download Workflow Artifacts
uses: actions/download-artifact@v4
with:
path: artifacts
- name: Upload SBOM to GitHub Release
uses: softprops/action-gh-release@v2
with:
files: artifacts/**/*.json- The action generates and uploads the BOM and saves it as a workflow artefact
actions/download-artifact@v4pulls all workflow artefacts intoartefacts/softprops/action-gh-release@v2attaches every*.jsonfile underartefacts/to the release that triggered the workflow
- Push the workflow file to your default branch (
mainormaster) - Go to Releases β Draft a new release
- Pick a tag, fill in the title, and click Publish release
- The workflow runs automatically; the BOM appears under Assets on the release page when it finishes