[EdgeBit] Create an SBOM for Vulnerability Scanning

.github/edgebit/source-syft.yaml

@@ -0,0 +1,27 @@
+output: syft
+
+check-for-app-update: false
+
+catalogers:
+  - binary
+  - cocoapods
+  - conan
+  - dartlang-lock
+  - dotnet-deps
+  - elixir-mix-lock
+  - erlang-rebar-lock
+  - go-mod-file
+  - go-module-binary
+  - graalvm-native-image
+  - haskell
+  - java
+  - java-gradle-lockfile
+  - java-pom
+  - javascript-lock
+  - php-composer-lock
+  - python-index
+  - python-package
+  - ruby-gemfile
+  - rust-cargo-lock
+  - sbom
+  - swift-package-manager

.github/workflows/sbom.yaml

@@ -0,0 +1,31 @@
+name: Generate an SBOM from source code
+
+on:
+  pull_request:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  generate-sbom:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Download Syft
+        id: syft
+        uses: anchore/sbom-action/download-syft@v0.14.2
+
+      - name: Generate SBOM from source code
+        run: "${{ steps.syft.outputs.cmd }} --config .github/edgebit/source-syft.yaml --file /tmp/sbom.syft.json ."
+
+      - name: Upload SBOM to EdgeBit
+        uses: edgebitio/edgebit-build@v1
+        with:
+          edgebit-url: "https://edgebit.edgebit.io"
+          token: ${{ secrets.EDGEBIT_TOKEN }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          sbom-file: /tmp/sbom.syft.json
+          component: "edgebitio-sbom-server"
+          tags: ${{ github.ref == 'refs/heads/main' && 'latest' || '' }}