# ClickBOM **Repository Path**: mirrors_ClickHouse/ClickBOM ## Basic Information - **Project Name**: ClickBOM - **Description**: Downloads SBOMs from GitHub, Mend, and Wiz. Uploads to S3 and ClickHouse. - **Primary Language**: Unknown - **License**: Apache-2.0 - **Default Branch**: main - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2025-07-12 - **Last Updated**: 2026-01-03 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README [![💣 ClickBOM Tests](https://github.com/ClickHouse/ClickBOM/actions/workflows/tests.yml/badge.svg)](https://github.com/ClickHouse/ClickBOM/actions/workflows/tests.yml) [![🐳 Docker Security Scan](https://github.com/ClickHouse/ClickBOM/actions/workflows/docker-security.yml/badge.svg)](https://github.com/ClickHouse/ClickBOM/actions/workflows/docker-security.yml) # ClickBOM Downloads SBOMs from GitHub, Mend, and Wiz. Uploads to S3 and ClickHouse. - [Inputs](#inputs) - [GitHub](#github) - [Mend](#mend) - [Wiz](#wiz) - [AWS](#aws) - [ClickHouse](#clickhouse) - [General](#general) - [Usage](#usage) - [Same Repository](#same-repository) - [Same Repository with ClickHouse](#same-repository-with-clickhouse) - [Same Repository with GitHub App](#same-repository-with-github-app) - [Multiple Repositories](#multiple-repositories) - [Merging SBOMs Stored In S3](#merging-sboms-stored-in-s3) - [Merging SBOMs with Include/Exclude Filters](#merging-sboms-with-includeexclude-filters) - [Downloading an SBOM from Mend](#downloading-an-sbom-from-mend) - [Downloading an SBOM from Wiz](#downloading-an-sbom-from-wiz) - [Creating a GitHub App](#creating-a-github-app) ## Inputs ### GitHub | Name | Description | Default | Required | Sensitive | | --------------------- | ----------------------------------- | -------------- | -------- | --------- | | github-token | GitHub Token | | false | true | | repository | Repository to download SBOM from | | false | false | - `github-token` can be the built-in `${{ secrets.GITHUB_TOKEN }}` or a token generated by a GitHub App. If you use a GitHub App, see [Creating a GitHub App](#creating-a-github-app). ### Mend | Name | Description | Default | Required | Sensitive | | ------------------- | ------------------------------------------------------------- | ------------------------ | -------- | --------- | | mend-email | Mend user email address | | false | true | | mend-org-uuid | Mend organization UUID | | false | true | | mend-user-key | Mend user key | | false | true | | mend-base-url | Mend base URL | https://api-saas.mend.io | false | false | | mend-product-uuid | Mend product UUID for product-scoped SBOM | | false | true | | mend-project-uuid | Mend project UUID for project-scoped SBOM | | false | true | | mend-org-scope-uuid | Mend organization UUID for organization-scoped SBOM | | false | true | | mend-project-uuids | Comma-separated list of specific project UUIDs to include | | false | true | | mend-max-wait-time | Maximum time to wait for Mend report generation (seconds) | 1800 | false | false | | mend-poll-interval | Polling interval for Mend report status (seconds) | 30 | false | false | - The `mend-org-scope-uuid` is used for organization-scoped SBOMs, which is different from the `mend-org-uuid` used for authentication. - ClickBOM only supports downloading SBOMs from Mend in the CycloneDX v1.5 format. If you need to convert the SBOM to SPDX, you can use the `sbom-format` input. (Support for SPDX coming soon) ### Wiz | Name | Description | Default | Required | Sensitive | | ----------------- | ----------------- | ------- | -------- | --------- | | wiz-auth-endpoint | Wiz Auth Endpoint | | false | true | | wiz-api-endpoint | Wiz API Endpoint | | false | true | | wiz-client-id | Wiz Client ID | | false | true | | wiz-client-secret | Wiz Client Secret | | false | true | | wiz-report-id | Wiz Report ID | | false | true | ### AWS | Name | Description | Default | Required | Sensitive | | --------------------- | ----------------------------------- | --------- | -------- | --------- | | aws-access-key-id | AWS Access Key ID | | true | true | | aws-secret-access-key | AWS Secret Access Key | | true | true | | aws-region | AWS Region | us-east-1 | false | false | | s3-bucket | S3 Bucket Name | | false | false | | s3-key | S3 Key Prefix | sbom.json | false | false | - It is recommended that an S3 bucket be created for the purposes of ClickBOM. ### ClickHouse | Name | Description | Default | Required | Sensitive | | ------------------- | ----------------------------------- | -------------- | -------- | --------- | | clickhouse-url | ClickHouse URL | | false | true | | clickhouse-database | ClickHouse Database Name | default | false | false | | clickhouse-username | ClickHouse Username | default | false | false | | clickhouse-password | ClickHouse Password | (empty) | false | true | | truncate-table | Truncate table before insert | false | false | false | - At the moment, ClickHouse ingestion is only supported over HTTP. ### General | Name | Description | Default | Required | Sensitive | | ----------- | --------------------------------------------------------------------- | --------- | -------- | --------- | | sbom-source | Source of SBOM (github, mend, wiz) | github | false | false | | sbom-format | SBOM format (spdxjson or cyclonedx) | cyclonedx | false | false | | merge | Merge SBOMs stored in S3 | false | false | false | | include | Comma-separated list of filenames or patterns to include when merging | (empty) | false | false | | exclude | Comma-separated list of filenames or patterns to exclude when merging | (empty) | false | false | | debug | Enable debug logging | false | false | false | - `sbom-format` specifies the format you want the final SBOM to be in. For example, GitHub only supports SPDX, settings this input to `cyclonedx` will convert the SBOM to CycloneDX format. - `include` and `exclude` are only used when `merge` is set to `true`. They allow you to filter which files from the S3 bucket should be included in the merge operation. - Both `include` and `exclude` support exact filename matching and wildcard patterns (e.g., `file*.json`, `*-prod.json`). - If `include` is specified, only files matching the include patterns will be processed. - If `exclude` is specified, files matching the exclude patterns will be skipped. - `exclude` is applied after `include`, so a file that matches **both** an include and exclude pattern will be *excluded*. ## Usage ### Same Repository Simple example of downloading the SBOM from the same repository and uploading it to S3. Converts the SBOM to CycloneDX format. ```yaml name: Upload SBOM on: push: branches: - main jobs: clickbom: name: ClickBOM runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Configure AWS Credentials id: aws-creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole role-session-name: clickbom-session aws-region: us-east-1 - name: Upload SBOM uses: ClickHouse/ClickBom@v1.0.10 with: github-token: ${{ secrets.GITHUB_TOKEN }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} s3-bucket: my-sbom-bucket s3-key: clickbom.json repository: ${{ github.repository_owner }}/${{ github.repository }} ``` ### Same Repository with ClickHouse Downloads the SBOM from the same repository and uploads it to S3. Converts the SBOM to CycloneDX format. Also uploads the SBOM to ClickHouse. ```yaml name: Upload SBOM on: push: branches: - main jobs: clickbom: name: ClickBOM runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Configure AWS Credentials id: aws-creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole role-session-name: clickbom-session aws-region: us-east-1 - name: Upload SBOM uses: ClickHouse/ClickBom@v1.0.10 with: github-token: ${{ secrets.GITHUB_TOKEN }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} s3-bucket: my-sbom-bucket s3-key: clickbom.json repository: ${{ github.repository_owner }}/${{ github.repository }} clickhouse-url: ${{ secrets.CLICKHOUSE_URL }} clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }} clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }} clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }} ``` ### Same Repository with GitHub App Downloads the SBOM from the same repository and uploads it to S3. Keeps the SBOM in SPDX format. Authenticates using a GitHub App. See [Creating a GitHub App](#creating-a-github-app). ```yaml name: Upload SBOM on: push: branches: - main jobs: clickbom: name: ClickBOM runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Generate Token id: generate-token uses: actions/create-github-app-token@v2 with: app-id: ${{ secrets.CLICKBOM_AUTH_APP_ID }} private-key: ${{ secrets.CLICKBOM_AUTH_PRIVATE_KEY }} - name: Configure AWS Credentials id: aws-creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole role-session-name: clickbom-session aws-region: us-east-1 - name: Upload SBOM uses: ClickHouse/ClickBom@v1.0.10 with: github-token: ${{ steps.generate-token.outputs.token }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} sbom-format: spdxjson s3-bucket: my-sbom-bucket s3-key: clickbom.json repository: ${{ github.repository_owner }}/${{ github.repository }} clickhouse-url: ${{ secrets.CLICKHOUSE_URL }} clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }} clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }} clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }} ``` ### Multiple Repositories Downloads SBOMs from multiple repositories (must have GitHub App installed), Converts SBOMs to CycloneDX format, and uploads them to S3 and ClickHouse. ```yaml name: Upload SBOM on: push: branches: - main jobs: clickbom: strategy: fail-fast: false matrix: repository: [ "repository-one", "repository-two", "repository-three" ] name: ClickBOM runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Generate Token id: generate-token uses: actions/create-github-app-token@v2 with: app-id: ${{ secrets.CLICKBOM_AUTH_APP_ID }} private-key: ${{ secrets.CLICKBOM_AUTH_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: ${{ matrix.repository }} - name: Configure AWS Credentials id: aws-creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole role-session-name: clickbom-session aws-region: us-east-1 - name: Upload SBOM uses: ClickHouse/ClickBom@v1.0.10 with: github-token: ${{ steps.generate-token.outputs.token }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} s3-bucket: my-sbom-bucket s3-key: ${{ matrix.repository }}.json repository: ${{ github.repository_owner }}/${{ matrix.repository }} clickhouse-url: ${{ secrets.CLICKHOUSE_URL }} clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }} clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }} clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }} ``` ### Merging SBOMs Stored In S3 This example adds to the previous one by merging SBOMs stored in S3. It downloads the SBOMs from S3, merges them, and uploads the merged SBOM back to S3 and ClickHouse. Only the CycloneDX format is supported for merging. ```yaml name: Upload SBOM on: push: branches: - main jobs: clickbom: strategy: fail-fast: false matrix: repository: [ "repository-one", "repository-two", "repository-three" ] name: ClickBOM runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Generate Token id: generate-token uses: actions/create-github-app-token@v2 with: app-id: ${{ secrets.CLICKBOM_AUTH_APP_ID }} private-key: ${{ secrets.CLICKBOM_AUTH_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: ${{ matrix.repository }} - name: Configure AWS Credentials id: aws-creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole role-session-name: clickbom-session aws-region: us-east-1 - name: Upload SBOM uses: ClickHouse/ClickBom@v1.0.10 with: github-token: ${{ steps.generate-token.outputs.token }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} s3-bucket: my-sbom-bucket s3-key: ${{ matrix.repository }}.json repository: ${{ github.repository_owner }}/${{ matrix.repository }} clickhouse-url: ${{ secrets.CLICKHOUSE_URL }} clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }} clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }} clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }} clickbom_merge: needs: clickbom name: ClickBOM Merge runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Generate Token id: generate-token uses: actions/create-github-app-token@v2 with: app-id: ${{ secrets.CLICKBOM_AUTH_APP_ID }} private-key: ${{ secrets.CLICKBOM_AUTH_PRIVATE_KEY }} - name: Configure AWS Credentials id: aws-creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole role-session-name: clickbom-session aws-region: us-east-1 - name: Upload SBOM uses: ClickHouse/ClickBom@v1.0.10 with: github-token: ${{ steps.generate-token.outputs.token }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} s3-bucket: my-sbom-bucket s3-key: clickbom.json clickhouse-url: ${{ secrets.CLICKHOUSE_URL }} clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }} clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }} clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }} merge: true ``` ### Merging SBOMs with Include/Exclude Filters This example shows how to use the `include` and `exclude` filters when merging SBOMs. This is useful when you want to merge only specific files from your S3 bucket. ```yaml name: Upload SBOM on: push: branches: - main jobs: clickbom_merge: name: ClickBOM Merge with Filters runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Generate Token id: generate-token uses: actions/create-github-app-token@v2 with: app-id: ${{ secrets.CLICKBOM_AUTH_APP_ID }} private-key: ${{ secrets.CLICKBOM_AUTH_PRIVATE_KEY }} - name: Configure AWS Credentials id: aws-creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole role-session-name: clickbom-session aws-region: us-east-1 - name: Merge Production SBOMs Only uses: ClickHouse/ClickBom@v1.0.10 with: github-token: ${{ steps.generate-token.outputs.token }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} s3-bucket: my-sbom-bucket s3-key: production-merged.json clickhouse-url: ${{ secrets.CLICKHOUSE_URL }} clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }} clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }} clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }} merge: true include: "*-prod.json,production-*.json" exclude: "*-test.json,*-dev.json" ``` In this example: - `include: "*-prod.json,production-*.json"` will only process files that match these patterns - `exclude: "*-test.json,*-dev.json"` will skip any files that match these patterns - The result is that only production-related SBOMs will be merged, excluding test and development SBOMs ### Downloading an SBOM from Mend If you want to download an SBOM from Mend, you can use the following example. This example assumes you have the necessary Mend credentials set up in your GitHub Secrets. ```yaml name: Upload SBOM on: push: branches: - main jobs: clickbom: name: ClickBOM runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Configure AWS Credentials id: aws-creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole role-session-name: clickbom-session aws-region: us-east-1 - name: Upload SBOM from Mend uses: ClickHouse/ClickBom@v1.0.10 with: aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} s3-bucket: my-sbom-bucket s3-key: clickbom.json sbom-source: mend mend-email: ${{ secrets.CLICKBOM_MEND_EMAIL }} mend-org-uuid: ${{ secrets.CLICKBOM_MEND_ORG_UUID }} mend-user-key: ${{ secrets.CLICKBOM_MEND_USER_KEY }} mend-product-uuid: ${{ secrets.CLICKBOM_MEND_PRODUCT_UUID }} mend-project-uuid: ${{ secrets.CLICKBOM_MEND_PROJECT_UUID }} clickhouse-url: ${{ secrets.CLICKHOUSE_URL }} clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }} clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }} clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }} ``` ### Downloading an SBOM from Wiz If you want to download an SBOM from Wiz, you can use the following example. This example assumes you have the necessary Wiz credentials set up in your GitHub Secrets. ```yaml name: Upload SBOM on: push: branches: - main jobs: clickbom: name: ClickBOM runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Configure AWS Credentials id: aws-creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole role-session-name: clickbom-session aws-region: us-east-1 - name: Upload SBOM from Wiz uses: ClickHouse/ClickBom@v1.0.10 with: aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} s3-bucket: my-sbom-bucket s3-key: clickbom.json sbom-source: wiz wiz-auth-endpoint: ${{ secrets.CLICKBOM_WIZ_AUTH_ENDPOINT }} wiz-api-endpoint: ${{ secrets.CLICKBOM_WIZ_API_ENDPOINT }} wiz-client-id: ${{ secrets.CLICKBOM_WIZ_CLIENT_ID }} wiz-client-secret: ${{ secrets.CLICKBOM_WIZ_CLIENT_SECRET }} wiz-report-id: ${{ secrets.CLICKBOM_WIZ_REPORT_ID }} clickhouse-url: ${{ secrets.CLICKHOUSE_URL }} clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }} clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }} clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }} ``` ## Creating a GitHub App - Follow the instructions [here](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app) to create a GitHub App. - Make sure to give the app `Read access` to `Contents` and `Metadata`. - Install the app on the repositories you want to use it with. - Generate a private key for the app and save it somewhere secure, i.e. GitHub Secrets.