Initial commit

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright © 2022 NowSecure Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,54 @@
+# `nowsecure-sbom-action`
+
+Generate a Mobile SBOM for an application and submit to the Dependency submission API.
+
+**Features**:
+
+- Integrates with GitHub's [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) to display mobile dependencies inside of GitHub Dependabot alerts,
+- Run scans for each commit, or periodically;
+
+## User Guide
+
+This action requires a NowSecure Platform license. If you *are not* a NowSecure customer, click [here](https://bit.ly/ns-git-sbom) to sign up for a free trial to get access.
+
+If you *are* an existing NowSecure customer, proceed with the instructions below.
+
+### Prerequisites
+
+- NowSecure Platform token in GitHub secrets,
+  1. In NowSecure Platform, go to "Profile & Preferences" to create a token for GitHub,
+  2. In GitHub repository settings, click "Secrets" then "New repository secret". Name the secret `NS_TOKEN`;
+- Group ID;
+
+### GitHub Marketplace Setup (recommended)
+
+Go to the [GitHub Marketplace](https://github.com/marketplace?type=&verification=&query=NowSecure+Mobile+SBOM+) and click the "NowSecure Mobile SBOM" action, then click "Use latest version" and follow
+the annotated workflow.
+
+### Manual Setup
+
+For an _existing_ workflow,
+
+The action must be run on an `ubuntu-latest` GitHub Action runner.
+
+After the application build step run the NowSecure Mobile SBOM action:
+
+```yml
+- name: NowSecure upload app
+  uses: nowsecure/nowsecure-sbom-action@v1
+  timeout-minutes: 60
+  with:
+    token: ${{ secrets.NS_TOKEN }}
+    app_file: $APPLICATION_PATH # REPLACE: The path to an .ipa or .apk
+    group_id: $GROUP_ID         # REPLACE: NowSecure Group ID
+```
+
+For a _new_ workflow,
+
+Add a new file called `nowsecure-sbom.yml` in your `.github/workflows` folder and review the [example](workflows/nowsecure-sbom.yml).
+
+## License
+
+This project is released under the [MIT License](https://github.com/nowsecure/nowsecure-action/blob/master/LICENSE).
+
+NowSecure Platform, used in this action, has separate [Terms and Conditions](https://www.nowsecure.com/terms-and-conditions/) and requires a valid license to function.

action.yml

@@ -0,0 +1,30 @@
+name: "NowSecure: Mobile SBOM"
+description: "Generate a Mobile SBOM for an application and submit to the Dependency submission API"
+inputs:
+  token:
+    required: true
+    description: "NowSecure Platform token."
+  group_id:
+    required: true
+    description: "Group ID for the application in Platform."
+  app_file:
+    required: true
+    description: "Application binary to scan on NowSecure. Must be an Android or iOS application."
+runs:
+  using: "composite"
+  steps:
+        - id: upload
+          uses: nowsecure/nowsecure-action/upload-app@v2
+          with:
+            token: ${{ inputs.token }}
+            app_file: ${{ inputs.app_file }}
+            group_id: ${{ inputs.group_id }}
+
+        - id: pull_report
+          uses: nowsecure/nowsecure-action/convert-sarif@v2
+          with:
+            report_id: ${{ steps.upload.outputs.report_id }}
+            token: ${{ inputs.token }}
+            group_id: ${{ inputs.group_id }}
+            enable_dependencies: true
+            enable_sarif: false

workflows/nowsecure-sbom.yml

@@ -0,0 +1,31 @@
+# An example workflow using the NowSecure Mobile SBOM action that runs an
+# application against NowSecure Platform and generates SBOM results which are
+# submitted to the Dependency submission API.
+# This action is run each time a commit is pushed to the "main" branch.
+
+name: "NowSecure Mobile SBOM"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+    branches: [main]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: NowSecure Mobile SBOM
+        uses: nowsecure/nowsecure-sbom-action@v1
+        timeout-minutes: 60
+        with:
+          token: ${{ secrets.NS_TOKEN }}
+          # TODO: Replace app file with .apk or .ipa.
+          app_file: app.apk
+          # TODO: Replace the Group ID.
+          group_id: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"