Guides

Using the Github App

Suggest Edits

Connect your GitHub repositories to Manifest for automatic SBOM (Software Bill of Materials) generation and management using either the GitHub App or GitHub Action.

The GitHub App is ideal for getting up and running quickly, easily, and without technical implementation. For more control, configuration, and advanced settings, consider leveraging the Manifest Github Action.


Installing the Manifest GitHub App

The GitHub App provides automated SBOM generation with minimal configuration required. Follow these steps to get started:

  1. Go to Settings, and then select the Integrations tab.
  2. Locate the GitHub integration and click Add.

  1. Click Install on GitHub and follow the prompts to complete installation.
    1. If you are using a self-hosted instance of Manifest, or your URL for Manifest isn't app.manifestcyber.com, open the Advanced section and enter the URL of your Manifest instance.
    2. By default, the Manifest Github App will generate SBOMs across all repositories across your Github organization. If you want to generate SBOMs for specific repositories, click "Only select repositories" on the Authorize & Request screen.
    3. Click Authorize & Request to install the App.


Configuring SBOM Generation for the App

Once the Github App is installed, you can configure certain settings for SBOM generation from within Manifest. Within the Github Organization page, click on the Repositories tab.


Enable or Disable Repositories

Within the Repositories tab, you can selectively Enable or Disable whether SBOMs will be generated for a specific repository by clicking the Toggle at the far right of the table.


Setting Generation Triggers or Frequency

For each repository with SBOM generation enabled, you can select Generation Frequency from the following options:

  • On Push to Branch: generates an SBOM whenever a developer opens a Pull Request to a branch.
  • Daily, Weekly, or Monthly: generates and uploads SBOMs on a fixed scheduled.

To set the default SBOM Generation setting across all repositories (so you don't have to set each repo status individually), set the Default on the Settings page.


Importing GitHub Repository Topics as Labels in Manifest

For each GitHub organization integrated with Manifest, you can choose to import your repositories' topics as labels. To enable this functionality:

  1. Navigate to your GitHub organization in Manifest: Settings -> Integrations -> Edit GitHub
  2. Select the GitHub organization for which you want to import topics
  3. Click on the Settings tab within the organization
  4. Switch on the toggle labeled Import Github labels.

Note: The labels will be added to all asset versions generated after this import GH labels toggle was turned on. You may view the imported labels in your Manifest Settings -> Labels page as soon as the feature is enabled.


❗️

Make sure you click Save Changes before navigating away from the page.


Generating SBOMs in Github

Manifest provides a Github Action that leverages our command line tool for SBOM Generation.

📘

Learn more about using Github Action on our Github page.

Updated 2 months ago