steampipe plugin install github

Table: github_repository_sbom - Query GitHub Repositories using SQL

GitHub Repositories is a feature offered by GitHub that allows developers to store and share their code, manage projects, and collaborate with other developers. It provides a platform for version control and source code management (SCM) functionalities of Git, along with its own features. GitHub Repositories enable developers to maintain a history of project files, track changes, revert to previous versions, and collaborate seamlessly with their team.

Table Usage Guide

The github_repository_sbom table provides insights into the Software Bill of Materials (SBOM) of GitHub Repositories. As a software developer or security analyst, explore the components, their versions, and dependencies in a software application through this table. Utilize it to uncover information about the SBOM, such as the components used in a software application, their versions, and dependencies, which can be crucial for vulnerability management and software maintenance.

Important Notes

  • You must specify the repository_full_name (repository including org/user prefix) column in the where or join clause to query the table.

Examples

List SBOM packages with a specific package version

The query helps to identify software bill of materials (SBOM) packages within a specific GitHub repository that are using a specified version. This can be useful for maintaining version consistency or addressing potential vulnerabilities associated with certain versions.

select
spdx_id,
spdx_version,
p ->> 'name' as package_name,
p ->> 'versionInfo' as package_version,
p ->> 'licenseConcluded' as package_license
from
github_repository_sbom,
jsonb_array_elements(packages) p
where
p ->> 'versionInfo' = '2.6.0'
and repository_full_name = 'turbot/steampipe';
select
spdx_id,
spdx_version,
json_extract(p.value, '$.name') as package_name,
json_extract(p.value, '$.versionInfo') as package_version,
json_extract(p.value, '$.licenseConcluded') as package_license
from
github_repository_sbom,
json_each(packages) as p
where
json_extract(p.value, '$.versionInfo') = '2.6.0'
and repository_full_name = 'turbot/steampipe';

Find SBOMs conforming to a specific SPDX version

Analyze the settings to understand which Software Bill of Materials (SBOMs) align with a certain SPDX version in a given repository. This can help maintain compliance and compatibility with specific standards.

select
name,
spdx_version
from
github_repository_sbom
where
spdx_version = '2.2'
and repository_full_name = 'turbot/steampipe';
select
name,
spdx_version
from
github_repository_sbom
where
spdx_version = '2.2'
and repository_full_name = 'turbot/steampipe';

Retrieve SBOMs under a specific data license

Explore which Software Bill of Materials (SBOMs) are under a specific data license in a particular repository. This can help in assessing compliance with licensing requirements and managing intellectual property rights.

select
name,
data_license
from
github_repository_sbom
where
data_license = 'CC0-1.0'
and repository_full_name = 'turbot/steampipe';
select
name,
data_license
from
github_repository_sbom
where
data_license = 'CC0-1.0'
and repository_full_name = 'turbot/steampipe';

Find SBOMs created by a specific user or at a specific time

Determine the software bill of materials (SBOMs) created by a specific individual or at a certain date. This is useful for tracking changes and understanding the history of your software development.

select
repository_full_name,
creation_info
from
github_repository_sbom
where
(
creation_info ->> 'created_by' = 'madhushreeray30'
or creation_info ->> 'created_at' = '2023-11-16'
)
and repository_full_name = 'turbot/steampipe';
select
repository_full_name,
creation_info
from
github_repository_sbom
where
(
json_extract(creation_info, '$.created_by') = 'madhushreeray30'
or json_extract(creation_info, '$.created_at') = '2023-11-16'
)
and repository_full_name = 'turbot/steampipe';

Schema for github_repository_sbom

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
creation_infojsonbIt represents when the SBOM was created and who created it.
data_licensetextThe license under which the SPDX document is licensed.
document_describesjsonbThe name of the repository that the SPDX document describes.
document_namespacetextThe namespace for the SPDX document.
login_idtext=, !=, ~~, ~~*, !~~, !~~*Unique identifier for the user login.
nametextThe name of the SPDX document.
packagesjsonbArray of packages in SPDX format.
repository_full_nametext=The full name of the repository (login/repo-name).
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
spdx_idtextThe SPDX identifier for the SPDX document.
spdx_versiontextThe version of the SPDX specification that this document conforms to.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- github

You can pass the configuration to the command with the --config argument:

steampipe_export_github --config '<your_config>' github_repository_sbom