sbomify · vpetersson · Jan 9, 2026 · Jan 9, 2026 · Jan 9, 2026 · Jan 9, 2026
diff --git a/.github/workflows/_sbom-benchmark.yml b/.github/workflows/_sbom-benchmark.yml
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -7,192 +7,24 @@ on:
     paths:
       - 'docker/**'
       - '.github/workflows/docker.yml'
-
-env:
-  TRIVY_VERSION: 0.54.1
-  SYFT_VERSION: 1.11.1
-  SBOMQS_VERSION: 0.1.9
+      - '.github/workflows/_sbom-benchmark.yml'
+  pull_request:
+    paths:
+      - 'docker/**'
+      - '.github/workflows/docker.yml'
+      - '.github/workflows/_sbom-benchmark.yml'
 
 jobs:
-  trivy:
-    name: Trivy
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Build Docker image
-        working-directory: "docker"
-        run:
-          docker build . -t nginx-test
-
-      - name: Install Trivy
-        run: |
-          curl -L -o /tmp/trivy.tgz \
-            "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
-          tar xvf /tmp/trivy.tgz -C /tmp
-          chmod +x /tmp/trivy
-
-      - name: "CycloneDX: Generate SBOM"
-        run: |
-          /tmp/trivy image \
-            --format cyclonedx \
-            --output /tmp/trivy.cdx.json \
-            nginx-test
-
-      - name: "SPDX: Generate SBOM"
-        run: |
-          /tmp/trivy image \
-            --format spdx-json \
-            --output /tmp/trivy.spdx.json \
-            nginx-test
-
-      - name: Upload SBOM
-        uses: actions/upload-artifact@v4
-        with:
-          name: container-trivy
-          path: "/tmp/trivy.*.json"
-
-  syft:
-    name: Syft
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Build Docker image
-        working-directory: "docker"
-        run:
-          docker build . -t nginx-test
-
-      - name: Install Syft
-        run: |
-          curl -L -o /tmp/syft.tgz \
-            "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz"
-          tar xvf /tmp/syft.tgz -C /tmp
-          chmod +x /tmp/syft
-
-      - name: "CycloneDX: Generate SBOM"
-        run: |
-          /tmp/syft \
-            nginx-test \
-            -o cyclonedx-json \
-              > /tmp/syft.cdx.json
-
-      - name: "SPDX: Generate SBOM"
-        run: |
-          /tmp/syft \
-            nginx-test \
-            -o spdx-json \
-            > /tmp/syft.spdx.json
-
-      - name: Upload SBOM
-        uses: actions/upload-artifact@v4
-        with:
-          name: container-syft
-          path: "/tmp/syft.*.json"
-
   benchmark:
-    name: Benchmark
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Build Docker image
-        working-directory: "docker"
-        run: |
-          docker build . -t nginx-test
-
-      # Provide a baseline of what system packages Debian think is installed
-      - name:
-        run: |
-          docker run \
-            --rm nginx-test \
-            dpkg-query -W -f='${binary:Package} ${Version}\n' | sort > /tmp/baseline.txt
-
-      - name: Upload baseline
-        uses: actions/upload-artifact@v4
-        with:
-          name: baseline
-          path: "/tmp/baseline.txt"
-
-  Score:
-    needs:
-     - trivy
-     - syft
-     - benchmark
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download SBOMs
-        uses: actions/download-artifact@v4
-
-      - name: Install sbomqs
-        run: |
-          curl -L -o /tmp/sbomqs \
-            "https://github.com/interlynk-io/sbomqs/releases/download/v${SBOMQS_VERSION}/sbomqs-linux-amd64"
-          chmod +x /tmp/sbomqs
-
-      - name: "Generate Summary Table"
-        run: |
-          calculate_duplication_percentage() {
-            local total=$1
-            local unique=$2
-
-            if [ "$total" -eq 0 ]; then
-              echo "Duplication Percentage: N/A (Total count is zero)"
-              return 1
-            fi
-
-            local duplicates=$((total - unique))
-
-            if [ "$duplicates" -lt 0 ]; then
-              duplicates=0
-            fi
-
-            local duplication_percentage=$(echo "scale=2; ($duplicates / $total) * 100" | bc)
-
-            echo "$duplication_percentage%"
-          }
-
-          # Baseline
-          SYSTEM_BASELINE=$(cat baseline/baseline.txt | wc -l)
-
-          # Syft
-          SYFT_CDX_PATH="container-syft/syft.cdx.json"
-          SYFT_CDX_TOTAL=$(jq '.components[] | .name' $SYFT_CDX_PATH | wc -l)
-          SYFT_CDX_UNIQUE=$(jq '.components[] | .name' $SYFT_CDX_PATH | uniq | wc -l)
-          SYFT_CDX_SBOMQS=$(/tmp/sbomqs score $SYFT_CDX_PATH -j)
-          SYFT_CDX_VERSION=$(echo $SYFT_CDX_SBOMQS | jq -r '.files[0].spec_version')
-          SYFT_CDX_QUALITY_SCORE=$(echo $SYFT_CDX_SBOMQS | jq -r '.files[0].avg_score')
-
-          SYFT_SPDX_PATH="container-syft/syft.spdx.json"
-          SYFT_SPDX_TOTAL=$(jq '.packages[] | .name' $SYFT_SPDX_PATH | wc -l)
-          SYFT_SPDX_UNIQUE=$(jq '.packages[] | .name' $SYFT_SPDX_PATH | uniq | wc -l)
-          SYFT_SPDX_SBOMQS=$(/tmp/sbomqs score $SYFT_SPDX_PATH -j)
-          SYFT_SPDX_VERSION=$(echo $SYFT_SPDX_SBOMQS | jq -r '.files[0].spec_version')
-          SYFT_SPDX_QUALITY_SCORE=$(echo $SYFT_SPDX_SBOMQS | jq -r '.files[0].avg_score')
-
-          # Trivy
-          TRIVY_CDX_PATH="container-trivy/trivy.cdx.json"
-          TRIVY_CDX_TOTAL=$(jq '.components[] | .name' $TRIVY_CDX_PATH | wc -l)
-          TRIVY_CDX_UNIQUE=$(jq '.components[] | .name' $TRIVY_CDX_PATH | uniq | wc -l)
-          TRIVY_CDX_SBOMQS=$(/tmp/sbomqs score $TRIVY_CDX_PATH -j)
-          TRIVY_CDX_VERSION=$(echo $TRIVY_CDX_SBOMQS | jq -r '.files[0].spec_version')
-          TRIVY_CDX_QUALITY_SCORE=$(echo $TRIVY_CDX_SBOMQS | jq -r '.files[0].avg_score')
-
-          TRIVY_SPDX_PATH="container-trivy/trivy.spdx.json"
-          TRIVY_SPDX_TOTAL=$(jq '.packages[] | .name' $TRIVY_SPDX_PATH | wc -l)
-          TRIVY_SPDX_UNIQUE=$(jq '.packages[] | .name' $TRIVY_SPDX_PATH | uniq | wc -l)
-          TRIVY_SPDX_SBOMQS=$(/tmp/sbomqs score $TRIVY_SPDX_PATH -j)
-          TRIVY_SPDX_VERSION=$(echo $TRIVY_SPDX_SBOMQS | jq -r '.files[0].spec_version')
-          TRIVY_SPDX_QUALITY_SCORE=$(echo $TRIVY_SPDX_SBOMQS | jq -r '.files[0].avg_score')
-
-
-          # Header
-          echo "| Tool | Format | Packages | Unique Packages | Duplication % | Avg Quality Score |" >> ${GITHUB_STEP_SUMMARY}
-          echo "| -- | -- | -- | -- | -- |-- |" >> ${GITHUB_STEP_SUMMARY}
-
-          # Construct table
-          echo "| System Baseline | N/A | $SYSTEM_BASELINE | $SYSTEM_BASELINE | 0% | N/A |" >> ${GITHUB_STEP_SUMMARY}
-          echo "| Syft ($SYFT_VERSION) | CycloneDX ($SYFT_CDX_VERSION) | $SYFT_CDX_TOTAL | $SYFT_CDX_UNIQUE | $(calculate_duplication_percentage $SYFT_CDX_TOTAL $SYFT_CDX_UNIQUE) | $SYFT_CDX_QUALITY_SCORE |" >> ${GITHUB_STEP_SUMMARY}
-          echo "| Trivy ($TRIVY_VERSION) | CycloneDX ($TRIVY_CDX_VERSION) | $TRIVY_CDX_TOTAL | $TRIVY_CDX_UNIQUE | $(calculate_duplication_percentage $TRIVY_CDX_TOTAL $TRIVY_CDX_UNIQUE) | $TRIVY_CDX_QUALITY_SCORE |" >> ${GITHUB_STEP_SUMMARY}
-          echo "| Syft ($SYFT_VERSION) | SPDX ($SYFT_SPDX_VERSION) | $SYFT_SPDX_TOTAL | $SYFT_SPDX_UNIQUE | $(calculate_duplication_percentage $SYFT_SPDX_TOTAL $SYFT_SPDX_UNIQUE) | $SYFT_SPDX_QUALITY_SCORE |" >> ${GITHUB_STEP_SUMMARY}
-          echo "| Trivy ($TRIVY_VERSION) | SPDX ($TRIVY_SPDX_VERSION) | $TRIVY_SPDX_TOTAL | $TRIVY_SPDX_UNIQUE | $(calculate_duplication_percentage $TRIVY_SPDX_TOTAL $TRIVY_SPDX_UNIQUE)| $TRIVY_SPDX_QUALITY_SCORE |" >> ${GITHUB_STEP_SUMMARY}
+    uses: ./.github/workflows/_sbom-benchmark.yml
+    with:
+      name: container
+      target_type: docker
+      target_path: nginx-test
+      setup_commands: |
+        cd docker && docker build . -t nginx-test
+      sbomify_input: nginx-test
+      sbomify_input_type: docker_image
+      baseline_command: |
+        docker run --rm nginx-test dpkg-query -W -f='${binary:Package} ${Version}\n' | sort
+      title: Docker (nginx + vim) Benchmark
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -0,0 +1,28 @@
+---
+name: Go
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'go/**'
+      - '.github/workflows/go.yml'
+      - '.github/workflows/_sbom-benchmark.yml'
+  pull_request:
+    paths:
+      - 'go/**'
+      - '.github/workflows/go.yml'
+      - '.github/workflows/_sbom-benchmark.yml'
+
+jobs:
+  benchmark:
+    uses: ./.github/workflows/_sbom-benchmark.yml
+    with:
+      name: go
+      target_type: filesystem
+      target_path: target-repo/go.mod
+      setup_commands: |
+        git clone --depth 1 --branch v2.3.1 https://github.com/google/osv-scanner.git target-repo
+      sbomify_input: target-repo/go.mod
+      sbomify_input_type: lock_file
+      title: Go (OSV Scanner 2.3.1) Benchmark
diff --git a/.github/workflows/java.yml b/.github/workflows/java.yml
@@ -0,0 +1,28 @@
+---
+name: Java
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'java/**'
+      - '.github/workflows/java.yml'
+      - '.github/workflows/_sbom-benchmark.yml'
+  pull_request:
+    paths:
+      - 'java/**'
+      - '.github/workflows/java.yml'
+      - '.github/workflows/_sbom-benchmark.yml'
+
+jobs:
+  benchmark:
+    uses: ./.github/workflows/_sbom-benchmark.yml
+    with:
+      name: java
+      target_type: filesystem
+      target_path: target-repo/pom.xml
+      setup_commands: |
+        git clone --depth 1 --branch 26.4.7 https://github.com/keycloak/keycloak.git target-repo
+      sbomify_input: target-repo/pom.xml
+      sbomify_input_type: lock_file
+      title: Java (Keycloak 26.4.7) Benchmark
diff --git a/.github/workflows/javascript.yml b/.github/workflows/javascript.yml
@@ -0,0 +1,28 @@
+---
+name: JavaScript
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'javascript/**'
+      - '.github/workflows/javascript.yml'
+      - '.github/workflows/_sbom-benchmark.yml'
+  pull_request:
+    paths:
+      - 'javascript/**'
+      - '.github/workflows/javascript.yml'
+      - '.github/workflows/_sbom-benchmark.yml'
+
+jobs:
+  benchmark:
+    uses: ./.github/workflows/_sbom-benchmark.yml
+    with:
+      name: javascript
+      target_type: filesystem
+      target_path: target-repo/pnpm-lock.yaml
+      setup_commands: |
+        git clone --depth 1 --branch wrangler@3.99.0 https://github.com/cloudflare/workers-sdk.git target-repo
+      sbomify_input: target-repo/pnpm-lock.yaml
+      sbomify_input_type: lock_file
+      title: JavaScript (Cloudflare workers-sdk) Benchmark