[2022-12-15] Actions SBOMs (#33486)

Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: Larissa Fortuna <56982181+lkfortuna@users.noreply.github.com> Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
2025-12-19 18:10:59 -05:00 · 2022-12-16 16:22:28 +00:00
parent 103024a7c6
commit dfa14f13aa
3 changed files with 31 additions and 10 deletions
--- a/content/actions/security-guides/security-hardening-for-github-actions.md
+++ b/content/actions/security-guides/security-hardening-for-github-actions.md
@@ -276,6 +276,16 @@ This list describes the recommended approaches for accessing repository data wit
 5. **SSH keys on a personal account**
    - Workflows should never use the SSH keys on a personal account. Similar to {% data variables.product.pat_v1_plural %}, they grant read/write permissions to all of your personal repositories as well as all the repositories you have access to through organization membership.  This indirectly grants broad access to all write-access users of the repository the workflow is in. If you're intending to use an SSH key because you only need to perform repository clones or pushes, and do not need to interact with public APIs, then you should use individual deploy keys instead.

+{% ifversion actions-sbom %}
+
+## Reviewing the supply chain for {% data variables.product.prodname_dotcom %}-hosted runners
+
+You can view a software bill of materials (SBOM) to see what software was pre-installed on the {% data variables.product.prodname_dotcom %}-hosted runner image used during your workflow runs. You can provide your users with the SBOM which they can run through a vulnerability scanner to validate if there are any vulnerabilities in the product. If you are building artifacts, you can include this SBOM in your bill of materials for a comprehensive list of everything that went into creating your software.
+
+SBOMs are available for Windows and Ubuntu runner images. You can locate the SBOM for your build in the release assets at https://github.com/actions/runner-images/releases. An SBOM with a filename in the format of `sbom.<IMAGE-NAME>.json.zip` can be found in the attachments of each release.
+
+{% endif %}
+
 ## Hardening for self-hosted runners

 {% ifversion fpt or ghec %}
--- a/content/actions/using-github-hosted-runners/about-github-hosted-runners.md
+++ b/content/actions/using-github-hosted-runners/about-github-hosted-runners.md
@@ -132,6 +132,12 @@ For the overall list of included tools for each runner operating system, see the

 {% data variables.product.prodname_dotcom %}-hosted runners include the operating system's default built-in tools, in addition to the packages listed in the above references. For example, Ubuntu and macOS runners include `grep`, `find`, and `which`, among other default tools.

+{% ifversion actions-sbom %}
+
+You can also view a software bill of materials (SBOM) for each build of the Windows and Ubuntu runner images. For more information, see "[Reviewing the supply chain for {% data variables.product.prodname_dotcom %}-hosted runners](/actions/security-guides/security-hardening-for-github-actions#reviewing-the-supply-chain-for-github-hosted-runners)."
+
+{% endif %}
+
 ### Using preinstalled software

 We recommend using actions to interact with the software installed on runners. This approach has several benefits:
--- a/data/features/actions-sbom.yml
+++ b/data/features/actions-sbom.yml
@@ -0,0 +1,5 @@
+# Reference: #8461
+# SBOMs available for GitHub-hosted runner images.
+versions:
+  fpt: '*'
+  ghec: '*'