diff --git a/README.md b/README.md
index 9a3ddcf6d8335958c1c22d315d21a80b386d3ec5..bef5348bc41621e7cbfa5c550b1add6042dcc55d 100644
--- a/README.md
+++ b/README.md
@@ -181,6 +181,18 @@ exports.config = {
}
```
+### `ng-sbom` job
+
+This job generates a [SBOM](https://cyclonedx.org/) file listing installed packages using [@cyclonedx/cyclonedx-npm](https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm).
+
+It is bound to the `test` stage, and uses the following variables:
+
+| Name | description | default value |
+| --------------------- | -------------------------------------- | ----------------- |
+| `NG_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `NG_SBOM_VERSION` | The version of @cyclonedx/cyclonedx-npm used to emit SBOM | _none_ (uses latest) |
+| `NG_SBOM_OPTS` | Options for @cyclonedx/cyclonedx-npm used for SBOM analysis | `--omit dev` |
+
### `ng-publish` job
The Angular template features a `ng-publish` job to publish the built project.
diff --git a/kicker.json b/kicker.json
index 5bf4d4a1687b91ded7c0bb5b56f1a0f048ee3cf9..beab39121c0383bacd168dee168836a4e859e61a 100644
--- a/kicker.json
+++ b/kicker.json
@@ -101,6 +101,25 @@
"advanced": true
}
]
+ },
+ {
+ "id": "sbom",
+ "name": "Software Bill of Materials",
+ "description": "This job generates a file listing all dependencies using [@cyclonedx/cyclonedx-npm](https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm)",
+ "disable_with": "NG_SBOM_DISABLED",
+ "variables": [
+ {
+ "name": "NG_SBOM_VERSION",
+ "description": "Version of the @cyclonedx/cyclonedx-npm used for SBOM analysis",
+ "advanced": true
+ },
+ {
+ "name": "NG_SBOM_OPTS",
+ "description": "Options for @cyclonedx/cyclonedx-npm used for SBOM analysis",
+ "default": "--omit dev",
+ "advanced": true
+ }
+ ]
}
]
}
diff --git a/templates/gitlab-ci-angular.yml b/templates/gitlab-ci-angular.yml
index d93f4f3eb8e6951e28065cadc6d52d925711cebc..8908609f15b2b707ea52650c9b1cd34fcdf27fc5 100644
--- a/templates/gitlab-ci-angular.yml
+++ b/templates/gitlab-ci-angular.yml
@@ -65,6 +65,8 @@ variables:
# Angular Build
NG_BUILD_ARGS: "build"
+ NG_SBOM_OPTS: "--omit dev"
+
# default production ref name (pattern)
PROD_REF: '/^(master|main)$/'
# default integration ref name (pattern)
@@ -499,8 +501,9 @@ ng-build:
expire_in: 1 day
###############################################################################################
-# test stage: #
-# - ng-e2e #
+# test stage: #
+# - ng-e2e #
+# - ng-sbom #
###############################################################################################
ng-e2e:
extends: .ng-cli-base
@@ -521,6 +524,27 @@ ng-e2e:
when: never
- !reference [.test-policy, rules]
+ng-sbom:
+ extends: .ng-cli-base
+ stage: test
+ # force no dependency
+ dependencies: []
+ script:
+ - mkdir -p -m 777 reports
+ - npx -y @cyclonedx/cyclonedx-npm${NG_SBOM_VERSION:+@$NG_SBOM_VERSION} --output-format JSON --output-file reports/ng-sbom.cyclonedx.json $NG_SBOM_OPTS
+ - chmod a+r reports/ng-sbom.cyclonedx.json
+ rules:
+ # exclude if disabled
+ - if: '$NG_SBOM_DISABLED == "true"'
+ when: never
+ - !reference [.test-policy, rules]
+ artifacts:
+ name: "SBOM for Angular from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+ when: always
+ expire_in: 1 week
+ paths:
+ - $NG_WORKSPACE_DIR/reports/ng-sbom.cyclonedx.json
+
###############################################################################################
# publish stage: #
# - npm-publish #