Skip to content
This repository was archived by the owner on May 17, 2025. It is now read-only.

valentinalmiron/dsabot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

dsabot

DSAbot infosec tool

DSAbot is the acronymous of Dependency Security Analyzer bot. Its purpose is to integrate GitHub with OWASP Dependency Track. Also, DSAbot generates a third-party components inventory in CyloneDX standard format and ingest it for security vulnerability scanning. It is written in Node.js

What does DSAbot do?

  1. Receive GitHub Merged PR event with JSON changed information file.
  2. Analyze, Parse and Validate data.
  3. Execute trivy binary to generate SBOM file from repository.
  4. Ingest the SBOM json file in Dependency Track.

All the transactions should be logged and validated. All of the integration process should be encrypted.

This is a Node.js web application that interacts with the GitHub API to generate and upload SBOM (Software Bill of Materials) files. It also uses a dependency tracking tool called Dependency-Track to ingest the SBOM files and generate reports on the project's dependencies.

The application listens to incoming webhook events from GitHub and uses the data to generate SBOM files for the relevant repository. It can also retrieve a list of all the repositories in an organization and generate SBOM files for each repository.

If configured, the Dependency-Track tool is used to ingest the files and generate dependency reports. The application has some built-in error handling and logging, and it relies on environment variables for configuration.

Table of Contents

  1. Requirements
  2. How to install
  3. API specification
  4. DSAbot diagram
  5. Reporting Issues
  6. Contributing

Requirements

  1. NodeJS >= 14
  2. Github Token
    • Readonly to repositories
  3. Github Webhook
  4. Trivy v0.42.0 (included in package.json)
  5. Dependency Track
  6. Rename the .env.template file to .env and fill in the required information

How to install

# Clone DSAbot repository
git clone https://github.com/valentinalmiron/dsabot.git

# Access to DSAbot directory
cd dsabot/src

# create local environment
cp .env.template .env

# edit .env file to update tokens and URLs
vi .env

# Install DSAbot dependencies
npm install

# run DSAbot
node index.js

API specification

openapi-spec.yml

HTTP request Description
POST /webhook Receive Payload from GitHub Webhook, create and ingest SBOM into Dependency Track
GET /status get Status
GET /:org:/repos get All repositories
GET /:org:/:repo/:branch/sbom Build specific SBOM file for org;repo;branch and ingest into Dependency Track

DSAbot diagram

graph TD;
   GitHub-WebHook-->DSAbot-API;
   DSAbot-API-->GitHub-Repository;
   GitHub-Repository-->DSAbot-API;
   DSAbot-API-->Dependency-Track;
Loading

Reporting Issues

To report an issue with DSAbot, please filing bug reports: Reporting Issues and Requesting Features

Contributing

If you are interested in contributing to DSAbot, please check CONTRIBUTING.md to see how you can help!

About

DSAbot generates a SBOM files in CyloneDX standard format

Topics

cyclonedx sbom-tool

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages