# Automate SBOM management via GitHub actions

You can easily integrate Helm into your CI/CD process to streamline and automate the process of creating products and product versions and uploading SBOMs to Helm. You can either use our GitHub action independently or integrate it into your existing GitHub action workflow, enabling you to maintain comprehensive and up-to-date documentation of your product's components, dependencies, and vulnerabilities with minimal effort. 

## Save time and effort manually maintaining SBOMs

Once configured, Helm will automatically add products and add or update SBOMs for the appropriate product versions based on your event trigger when new or updated SBOMs are added to your connected GitHub repository.

* **Efficiency:** Automates the labor-intensive process of maintaining SBOMs, freeing up your team to focus on development.
* **Accuracy and consistency:** Ensures that every change in your codebase is reflected in your SBOMs.
* **Seamless integration:** Fits naturally into your existing GitHub workflows, enhancing your DevOps practices without disrupting them.
* **Compliance and transparency:** Facilitates compliance with regulatory requirements and enhances transparency with stakeholders by providing detailed and up-to-date SBOMs.

{% hint style="info" %}
**What formats are supported?**\
Currently, we only support CycloneDX JSON. If you need SPDX support, [let us know](mailto:support@medcrypt.com).
{% endhint %}

## **Automate SBOM upload from GitHub repository**

Our [GitHub Action](https://github.com/marketplace/actions/medcrypt-helm-sbom-upload) simplifies the management of SBOMs by automating the creation and uploading of product versions and their corresponding SBOM files from your GitHub repository. 

1. To get started, you'll need Helm API access and the API credentials, as well as our Helm API URL (`api-base-url`). 
2. In your GitHub repository, create a /workflows directory: `.github/workflows`
3. Create a new workflow `.yml` file under `.github/workflows/` if you don’t already have one. If you already have one, just incorporate our step under jobs: > steps. 
4. Create a step to upload your SBOM in the `jobs` section. 
5. In the step, you can refer to the parameters in the table below or to the **Readme** for each of the parameters you'll need to add.
6. Provide the `workspace-name` that the product is assigned to or will be assigned to (if creating a new product). This is optional. If not provided, default workspace will be used.
7. Provide the `product-name` and `product-version-name`.
8. If the product doesn't exist and you want us to create it for you, set `create-product-if-not-found` to `true`.
9. If the product version doesn't exist and you want us to create it for you, set `create-version-if-not-found` to `true`.
10. Pass in your `client-id` and `client-secret`. These are your Helm API credentials. `client-id` is your email address (for the user that generated the API key) and `client-secret` is that user's API key.
11. Provide your `sbom-file-path`.
12. In our action, we currently set `on` to `workflow_dispatch`, which enables you to run it manually from the GitHub UI, but you can set it to whatever trigger you want, such as `push`, `pull_request`, or to run on a schedule.

{% hint style="success" %}
**Using Visual Studio Code editor?**

You can install their GitHub actions plug-in, which will enable you to hover over the parameters to get the information in the table below or in the Readme file.
{% endhint %}

#### Parameters to include in the YAML file

In the `uses:` parameter, this is set to `/medcrypt/action-helm-sbom-upload@your_version_branch`

In the `with:` parameter, specify the following information:

<table><thead><tr><th width="207">Parameter</th><th width="227">Value</th><th>Description</th></tr></thead><tbody><tr><td>repository</td><td>'https://helm.environment.medcrypt.co/sub-path/'</td><td>This is the Root URL of the Helm API, and is provided to you by Medcrypt.</td></tr><tr><td>workspace-name</td><td>'Workspace name'</td><td>This is the workspace that the product is assigned to or will be assigned to (if creating a new product). This is optional. If not provided, default workspace will be used.</td></tr><tr><td>product-name</td><td>'your product name'</td><td>This is your product name. Quotes are optional.</td></tr><tr><td>product-version-name</td><td>'1.0'</td><td>This is your product version. It must be enclosed in quotes to prevent truncation of numeric values.</td></tr><tr><td>create-product-if-not-found</td><td>'false'</td><td>This indicates if a product should be created if the product does not exist in Helm. This is set to false by default. Use this with caution.</td></tr><tr><td>create-version-if-not-found</td><td>'false'</td><td>This indicates if a product version should be created if the product or version does not exist in Helm. This is set to false by default. Use this with caution.</td></tr><tr><td>client-id</td><td>${{ secrets.CLIENT_ID }}</td><td>This is the email address of the user that has Helm API access.</td></tr><tr><td>client-secret</td><td>${{ secrets.CLIENT_SECRET }}</td><td>This is the API key of the Helm API.</td></tr><tr><td>sbom-file-path</td><td>./api_test_sbom.json</td><td>This is the path to your SBOM file. This should be the location of the file within your current GitHub workspace, such as after checking out source code, downloading an artifact, etc.</td></tr></tbody></table>

### *Ingest SBOMS for multiple products from same repository*

Wrap our action up in your own workflow file, then write a reusable workflow using `on: workflow_call` to call your workflow.

### *Ingest SBOMS for different products from different repositories*

Just copy and paste the step into that repo's yml file. If desired, you can create your own reusable action to store `client-id` and `client-secret`, anything that will be the same across your organization.&#x20;

### *What happens if there is an error during SBOM upload?*

If there is an error, you can check the action to see where errors occurred.&#x20;

### *What if I accidentally add the wrong product or version?*

You can [remove the product](https://helm.docs.medcrypt.com/manage-sboms/managing-products-and-versions-archive-and-removal) from the UI or [delete the version](https://helm.docs.medcrypt.com/manage-sboms/managing-products-and-versions-archive-and-removal). Removing the product will archive it, so that you can readd it, but if you delete the version, you will no longer be able to access that version's SBOM, and will need to readd it.

### *What if I need to change the configuration or disconnect a repository?*

You can stop using this or modify your action settings at any time, including changing or disconnecting repositories, changing event triggers, and more.

<br>