Automate SBOM management into your CI/CD process with GitHub action

You can easily integrate Helm into your CI/CD process to streamline and automate the process of creating product versions and uploading SBOMs to Helm. You can either use our GitHub action independently or integrate it into your existing GitHub action workflow, enabling you to maintain comprehensive and up-to-date documentation of your product's components, dependencies, and vulnerabilities with minimal effort.

Save time and effort manually maintaining SBOMs

Once configured,

  • Efficiency: Automates the labor-intensive process of maintaining SBOMs, freeing up your team to focus on development.

  • Accuracy and consistency: Ensures that every change in your codebase is reflected in your SBOMs.

  • Integration: Fits naturally into your existing GitHub workflows, enhancing your DevOps practices without disrupting them.

  • Compliance and transparency: Facilitates compliance with regulatory requirements and enhances transparency with stakeholders by providing detailed and up-to-date SBOMs.

What formats are supported? Currently, we only support CycloneDX JSON. If you need SPDX support, let us know.

Automate SBOM upload from GitHub repository

Our GitHub Action simplifies the management of SBOMs by automating the creation and uploading of product versions and their corresponding SBOM files from your GitHub repository.

  1. To get started, you'll need Helm API access and the API credentials, as well as our Helm API URL (api-base-url).

  2. In your GitHub repository, create a /workflows directory: .github/workflows

  3. Create a new workflow .yml file under .github/workflows/ if you don’t already have one. If you already have one, just incorporate our step under jobs: > steps.

  4. Create a step to upload your SBOM in the jobs section.

  5. In the step, you can refer to the parameters in the table below or to the Readme for each of the parameters you'll need to add.

  6. Provide the product-name and product-version-name.

  7. If the product and version don't exist and you want us to create it for you, set create-product-and-version-if-missing to true.

  8. Pass in your client-id and client-secret. These are your Helm API credentials. client-id is your email address (for the user that generated the API key) and client-secret is that user's API key.

  9. Provide your sbom-file-path.

  10. In our action, we currently set on to workflow_dispatch, which enables you to run it manually from the GitHub UI, but you can set it to whatever trigger you want, such as push, pull_request, or to run on a schedule.

Using Visual Studio Code editor?

You can install their GitHub actions plug-in, which will enable you to hover over the parameters to get the information in the table below or in the Readme file.

Parameters to include in the YAML file

In the uses: parameter, this is set to /medcrypt/action-helm-sbom-upload@your_version_branch

In the with: parameter, specify the following information:




This is the Root URL of the Helm API, and is provided to you by Medcrypt.


'your product name'

This is your product name. Quotes are optional.



This is your product version. It must be enclosed in quotes to prevent truncation of numeric values.



This indicates if a product or product version should be created if the product or version does not exist in Helm. This is set to false by default. Use this with caution.


${{ secrets.CLIENT_ID }}

This is the email address of the user that has Helm API access.


${{ secrets.CLIENT_SECRET }}

This is the API key of the Helm API.



This is the path to your SBOM file. This should be the location of the file within your current GitHub workspace, such as after checking out source code, downloading an artifact, etc.

Ingest SBOMS for multiple products from same repository

Wrap our action up in your own workflow file, then write a reusable workflow using on: workflow_call to call your workflow.

Ingest SBOMS for different products from different repositories

Just copy and paste the step into that repo's yml file. If desired, you can create your own reusable action to store client-id and client-secret, anything that will be the same across your organization.

What happens if there is an error during SBOM upload?

If there is an error, you can check the action to see where errors occurred.

What if I accidentally add the wrong product or version?

You can remove the product from the UI or delete the version. Removing the product will archive it, so that you can readd it, but if you delete the version, you will no longer be able to access that version's SBOM, and will need to readd it.

What if I need to change the configuration or disconnect a repository?

You can stop using this or modify your action settings at any time, including changing or disconnecting repositories, changing event triggers, and more.

Last updated

© Copyright MedCrypt 2023, All rights reserved.