Show dependencies for Github Actions

[yaabdala]

Summary

I would like to submit a feature request for showing dependencies of Github Actions

Current behavior

syft has no problem finding github actions and showing them as dependencies to a project when you run syft on a git repo directory that uses Github Actions. However, the dependencies of those actions are not listed. We have to download the release archive of the github action and run syft on that to get some visibility.

Steps to reproduce

1. Checkout a repository that uses Github Actions
2. Run syft on the directory
3. Observe that Github Actions are a part of the resulting SBOM, however the dependencies for those actions are not listed.

Requested behavior

Have dependencies for github actions be listed in SBOM so that vulnerable packages used by an Action can be flagged by grype

[willmurphyscode]

Hi @yaabdala thanks for the request. Would you mind providing a link to a github action file that has dependencies that are missed, and say what dependencies we should have found?

It sounds like what you're asking for is that in a file like:

syft/.github/workflows/validations.yaml

Lines 15 to 26 in 2a3d171

	Static-Analysis:
	# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
	name: "Static analysis"
	runs-on: ubuntu-20.04
	steps:
	- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
	- name: Bootstrap environment
	uses: ./.github/actions/bootstrap
	- name: Run static analysis
	run: make static-analysis

We should have found actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0. But we find this today. Is there something else we should be finding?