A minimal example:
name: Generate and scan SBOMs
on:
workflow_dispatch:
jobs:
build-and-test:
name: Generate and scan SBOMs
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Generate some dummy SBOMs
run: |
sbom={"bomFormat":"CycloneDX","specVersion":"1.3","version":1,"metadata":{}}
mkdir package1 package2 package3
echo $sbom > package1/package1.cdx.json
echo $sbom > package2/package2.cdx.json
echo $sbom > package3/package3.cdx.json
- name: Scan SBOMs
uses: anchore/scan-action@v7
with:
# the important bit:
sbom: '*/*.cdx.json'
Expected behavior would be that the scan-action step would find matches for any *.cdx.json files at one depth level (*/), however, the above gives an error like this:
ERROR failed to catalog: unable to open file */*.cdx.json: open */*.cdx.json: no such file or directory
A minimal example:
Expected behavior would be that the
scan-actionstep would find matches for any*.cdx.jsonfiles at one depth level (*/), however, the above gives an error like this: