From 4e839018bb6d923dd1cf96110060f1d288f49ae7 Mon Sep 17 00:00:00 2001
From: andip1403 <123165724+andip1403@users.noreply.github.com>
Date: Wed, 30 Oct 2024 18:36:01 +0100
Subject: [PATCH] Introducing Syft to generate SBOM

---
 .github/workflows/createSBOM.yml | 19 +++++++++++++++++++
 .syft/config.yaml                | 12 ++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 .github/workflows/createSBOM.yml
 create mode 100644 .syft/config.yaml

diff --git a/.github/workflows/createSBOM.yml b/.github/workflows/createSBOM.yml
new file mode 100644
index 0000000..8f27893
--- /dev/null
+++ b/.github/workflows/createSBOM.yml
@@ -0,0 +1,19 @@
+name: createSBOM.yml
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  create-sbom:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Generate SBOM with Syft
+        uses: anchore/sbom-action@v0
+        with:
+          path: .
+          config: ".syft/config.yml"
diff --git a/.syft/config.yaml b/.syft/config.yaml
new file mode 100644
index 0000000..20403c2
--- /dev/null
+++ b/.syft/config.yaml
@@ -0,0 +1,12 @@
+# a list of globs to exclude from scanning, for example:
+# exclude:
+#   - "/etc/**"
+#   - "./out/**/*.json"
+# SYFT_EXCLUDE env var / --exclude flag
+#
+# For studio-client plugins you can skip the scanning process
+# because they are not supposed to introduce new dependencies.
+# The dependencies in the lockfile are considered runtime dependencies.
+# The actual version is determined by the studio-client application.
+exclude:
+  - "/studio-client/**"