ClickBOM

Downloads SBOMs from GitHub, Mend, and Wiz. Uploads to S3 and ClickHouse.

• Inputs
  • GitHub
  • Mend
  • Wiz
  • AWS
  • ClickHouse
  • General
• Usage
  • Same Repository
  • Same Repository with ClickHouse
  • Same Repository with GitHub App
  • Multiple Repositories
  • Merging SBOMs Stored In S3
  • Merging SBOMs with Include/Exclude Filters
  • Downloading an SBOM from Mend
  • Downloading an SBOM from Wiz
• Creating a GitHub App

Inputs

GitHub

Name	Description	Default	Required	Sensitive
github-token	GitHub Token		false	true
repository	Repository to download SBOM from		false	false

• github-token can be the built-in ${{ secrets.GITHUB_TOKEN }} or a token generated by a GitHub App. If you use a GitHub App, see Creating a GitHub App.

Mend

Name	Description	Default	Required	Sensitive
mend-email	Mend user email address		false	true
mend-org-uuid	Mend organization UUID		false	true
mend-user-key	Mend user key		false	true
mend-base-url	Mend base URL	https://api-saas.mend.io	false	false
mend-product-uuid	Mend product UUID for product-scoped SBOM		false	true
mend-project-uuid	Mend project UUID for project-scoped SBOM		false	true
mend-org-scope-uuid	Mend organization UUID for organization-scoped SBOM		false	true
mend-project-uuids	Comma-separated list of specific project UUIDs to include		false	true
mend-max-wait-time	Maximum time to wait for Mend report generation (seconds)	1800	false	false
mend-poll-interval	Polling interval for Mend report status (seconds)	30	false	false

• The mend-org-scope-uuid is used for organization-scoped SBOMs, which is different from the mend-org-uuid used for authentication.
• ClickBOM only supports downloading SBOMs from Mend in the CycloneDX v1.5 format. If you need to convert the SBOM to SPDX, you can use the sbom-format input. (Support for SPDX coming soon)

Wiz

Name	Description	Default	Required	Sensitive
wiz-auth-endpoint	Wiz Auth Endpoint		false	true
wiz-api-endpoint	Wiz API Endpoint		false	true
wiz-client-id	Wiz Client ID		false	true
wiz-client-secret	Wiz Client Secret		false	true
wiz-report-id	Wiz Report ID		false	true

AWS

Name	Description	Default	Required	Sensitive
aws-access-key-id	AWS Access Key ID		true	true
aws-secret-access-key	AWS Secret Access Key		true	true
aws-region	AWS Region	us-east-1	false	false
s3-bucket	S3 Bucket Name		false	false
s3-key	S3 Key Prefix	sbom.json	false	false

• It is recommended that an S3 bucket be created for the purposes of ClickBOM.

ClickHouse

Name	Description	Default	Required	Sensitive
clickhouse-url	ClickHouse URL		false	true
clickhouse-database	ClickHouse Database Name	default	false	false
clickhouse-username	ClickHouse Username	default	false	false
clickhouse-password	ClickHouse Password	(empty)	false	true
truncate-table	Truncate table before insert	false	false	false

• At the moment, ClickHouse ingestion is only supported over HTTP.

General

Name	Description	Default	Required	Sensitive
sbom-source	Source of SBOM (github, mend, wiz)	github	false	false
sbom-format	SBOM format (spdxjson or cyclonedx)	cyclonedx	false	false
merge	Merge SBOMs stored in S3	false	false	false
include	Comma-separated list of filenames or patterns to include when merging	(empty)	false	false
exclude	Comma-separated list of filenames or patterns to exclude when merging	(empty)	false	false
debug	Enable debug logging	false	false	false

• sbom-format specifies the format you want the final SBOM to be in. For example, GitHub only supports SPDX, settings this input to cyclonedx will convert the SBOM to CycloneDX format.
• include and exclude are only used when merge is set to true. They allow you to filter which files from the S3 bucket should be included in the merge operation.
• Both include and exclude support exact filename matching and wildcard patterns (e.g., file*.json, *-prod.json).
• If include is specified, only files matching the include patterns will be processed.
• If exclude is specified, files matching the exclude patterns will be skipped.
• exclude is applied after include, so a file that matches both an include and exclude pattern will be excluded.

Usage

Same Repository

Simple example of downloading the SBOM from the same repository and uploading it to S3. Converts the SBOM to CycloneDX format.

name: Upload SBOM
on:
  push:
    branches:
      - main
      
jobs:
  clickbom:
    name: ClickBOM
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Configure AWS Credentials
        id: aws-creds
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
          role-session-name: clickbom-session
          aws-region: us-east-1

      - name: Upload SBOM
        uses: ClickHouse/[email protected]
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          s3-bucket: my-sbom-bucket
          s3-key: clickbom.json
          repository: ${{ github.repository_owner }}/${{ github.repository }}

Same Repository with ClickHouse

Downloads the SBOM from the same repository and uploads it to S3. Converts the SBOM to CycloneDX format. Also uploads the SBOM to ClickHouse.

name: Upload SBOM
on:
  push:
    branches:
      - main
      
jobs:
  clickbom:
    name: ClickBOM
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Configure AWS Credentials
        id: aws-creds
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
          role-session-name: clickbom-session
          aws-region: us-east-1

      - name: Upload SBOM
        uses: ClickHouse/[email protected]
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          s3-bucket: my-sbom-bucket
          s3-key: clickbom.json
          repository: ${{ github.repository_owner }}/${{ github.repository }}
          clickhouse-url: ${{ secrets.CLICKHOUSE_URL }}
          clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }}
          clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }}
          clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }}

Same Repository with GitHub App

Downloads the SBOM from the same repository and uploads it to S3. Keeps the SBOM in SPDX format. Authenticates using a GitHub App. See Creating a GitHub App.

name: Upload SBOM
on:
  push:
    branches:
      - main
      
jobs:
  clickbom:
    name: ClickBOM
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Generate Token
        id: generate-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.CLICKBOM_AUTH_APP_ID }}
          private-key: ${{ secrets.CLICKBOM_AUTH_PRIVATE_KEY }}

      - name: Configure AWS Credentials
        id: aws-creds
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
          role-session-name: clickbom-session
          aws-region: us-east-1

      - name: Upload SBOM
        uses: ClickHouse/[email protected]
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          sbom-format: spdxjson
          s3-bucket: my-sbom-bucket
          s3-key: clickbom.json
          repository: ${{ github.repository_owner }}/${{ github.repository }}
          clickhouse-url: ${{ secrets.CLICKHOUSE_URL }}
          clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }}
          clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }}
          clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }}

Multiple Repositories

Downloads SBOMs from multiple repositories (must have GitHub App installed), Converts SBOMs to CycloneDX format, and uploads them to S3 and ClickHouse.

name: Upload SBOM
on:
  push:
    branches:
      - main
      
jobs:
  clickbom:
    strategy:
      fail-fast: false
      matrix:
        repository: [
          "repository-one",
          "repository-two",
          "repository-three"
        ]
    name: ClickBOM
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Generate Token
        id: generate-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.CLICKBOM_AUTH_APP_ID }}
          private-key: ${{ secrets.CLICKBOM_AUTH_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          repositories: ${{ matrix.repository }}

      - name: Configure AWS Credentials
        id: aws-creds
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
          role-session-name: clickbom-session
          aws-region: us-east-1

      - name: Upload SBOM
        uses: ClickHouse/[email protected]
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          s3-bucket: my-sbom-bucket
          s3-key: ${{ matrix.repository }}.json
          repository: ${{ github.repository_owner }}/${{ matrix.repository }}
          clickhouse-url: ${{ secrets.CLICKHOUSE_URL }}
          clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }}
          clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }}
          clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }}

Merging SBOMs Stored In S3

This example adds to the previous one by merging SBOMs stored in S3. It downloads the SBOMs from S3, merges them, and uploads the merged SBOM back to S3 and ClickHouse. Only the CycloneDX format is supported for merging.

name: Upload SBOM
on:
  push:
    branches:
      - main
      
jobs:
  clickbom:
    strategy:
      fail-fast: false
      matrix:
        repository: [
          "repository-one",
          "repository-two",
          "repository-three"
        ]
    name: ClickBOM
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Generate Token
        id: generate-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.CLICKBOM_AUTH_APP_ID }}
          private-key: ${{ secrets.CLICKBOM_AUTH_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          repositories: ${{ matrix.repository }}

      - name: Configure AWS Credentials
        id: aws-creds
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
          role-session-name: clickbom-session
          aws-region: us-east-1

      - name: Upload SBOM
        uses: ClickHouse/[email protected]
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          s3-bucket: my-sbom-bucket
          s3-key: ${{ matrix.repository }}.json
          repository: ${{ github.repository_owner }}/${{ matrix.repository }}
          clickhouse-url: ${{ secrets.CLICKHOUSE_URL }}
          clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }}
          clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }}
          clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }}
  
  clickbom_merge:
    needs: clickbom
    name: ClickBOM Merge
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Generate Token
        id: generate-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.CLICKBOM_AUTH_APP_ID }}
          private-key: ${{ secrets.CLICKBOM_AUTH_PRIVATE_KEY }}

      - name: Configure AWS Credentials
        id: aws-creds
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
          role-session-name: clickbom-session
          aws-region: us-east-1

      - name: Upload SBOM
        uses: ClickHouse/[email protected]
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          s3-bucket: my-sbom-bucket
          s3-key: clickbom.json
          clickhouse-url: ${{ secrets.CLICKHOUSE_URL }}
          clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }}
          clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }}
          clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }}
          merge: true

Merging SBOMs with Include/Exclude Filters

This example shows how to use the include and exclude filters when merging SBOMs. This is useful when you want to merge only specific files from your S3 bucket.

name: Upload SBOM
on:
  push:
    branches:
      - main
      
jobs:
  clickbom_merge:
    name: ClickBOM Merge with Filters
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Generate Token
        id: generate-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.CLICKBOM_AUTH_APP_ID }}
          private-key: ${{ secrets.CLICKBOM_AUTH_PRIVATE_KEY }}

      - name: Configure AWS Credentials
        id: aws-creds
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
          role-session-name: clickbom-session
          aws-region: us-east-1

      - name: Merge Production SBOMs Only
        uses: ClickHouse/[email protected]
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          s3-bucket: my-sbom-bucket
          s3-key: production-merged.json
          clickhouse-url: ${{ secrets.CLICKHOUSE_URL }}
          clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }}
          clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }}
          clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }}
          merge: true
          include: "*-prod.json,production-*.json"
          exclude: "*-test.json,*-dev.json"

In this example:

• include: "*-prod.json,production-*.json" will only process files that match these patterns
• exclude: "*-test.json,*-dev.json" will skip any files that match these patterns
• The result is that only production-related SBOMs will be merged, excluding test and development SBOMs

Downloading an SBOM from Mend

If you want to download an SBOM from Mend, you can use the following example. This example assumes you have the necessary Mend credentials set up in your GitHub Secrets.

name: Upload SBOM
on:
  push:
    branches:
      - main
      
jobs:
  clickbom:
    name: ClickBOM
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Configure AWS Credentials
        id: aws-creds
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
          role-session-name: clickbom-session
          aws-region: us-east-1

      - name: Upload SBOM from Mend
        uses: ClickHouse/[email protected]
        with:
          aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          s3-bucket: my-sbom-bucket
          s3-key: clickbom.json
          sbom-source: mend
          mend-email: ${{ secrets.CLICKBOM_MEND_EMAIL }}
          mend-org-uuid: ${{ secrets.CLICKBOM_MEND_ORG_UUID }}
          mend-user-key: ${{ secrets.CLICKBOM_MEND_USER_KEY }}
          mend-product-uuid: ${{ secrets.CLICKBOM_MEND_PRODUCT_UUID }}
          mend-project-uuid: ${{ secrets.CLICKBOM_MEND_PROJECT_UUID }}
          clickhouse-url: ${{ secrets.CLICKHOUSE_URL }}
          clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }}
          clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }}
          clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }}

Downloading an SBOM from Wiz

If you want to download an SBOM from Wiz, you can use the following example. This example assumes you have the necessary Wiz credentials set up in your GitHub Secrets.

name: Upload SBOM
on:
  push:
    branches:
      - main

jobs:
  clickbom:
    name: ClickBOM
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Configure AWS Credentials
        id: aws-creds
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
          role-session-name: clickbom-session
          aws-region: us-east-1

      - name: Upload SBOM from Wiz
        uses: ClickHouse/[email protected]
        with:
          aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          s3-bucket: my-sbom-bucket
          s3-key: clickbom.json
          sbom-source: wiz
          wiz-auth-endpoint: ${{ secrets.CLICKBOM_WIZ_AUTH_ENDPOINT }}
          wiz-api-endpoint: ${{ secrets.CLICKBOM_WIZ_API_ENDPOINT }}
          wiz-client-id: ${{ secrets.CLICKBOM_WIZ_CLIENT_ID }}
          wiz-client-secret: ${{ secrets.CLICKBOM_WIZ_CLIENT_SECRET }}
          wiz-report-id: ${{ secrets.CLICKBOM_WIZ_REPORT_ID }}
          clickhouse-url: ${{ secrets.CLICKHOUSE_URL }}
          clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }}
          clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }}
          clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }}

Creating a GitHub App

• Follow the instructions here to create a GitHub App.
• Make sure to give the app Read access to Contents and Metadata.
• Install the app on the repositories you want to use it with.
• Generate a private key for the app and save it somewhere secure, i.e. GitHub Secrets.