Open
Conversation
Fixes package-url#853 add new PURL type `ansible` for identifying Ansible collections. Ansible collections can be installed from multiple sources: - Ansible Galaxy (default) - Red Hat Automation Hub - Git repositories - Direct URLs/tarballs - System packages (RPM/deb) This type definition enables scanners to generate accurate PURLs for Ansible collections in SBOMs and vulnerability databases. Qualifiers: - repository_url: Alternative Galaxy-compatible server - vcs_url: VCS URL for git-sourced collections - download_url: Direct tarball URL - packaging: Distribution method (rpm, deb) A corresponding change to ansible-core will be submitted to write source.json metadata during collection installation, enabling scanners to determine the installation source.
anweshadas
added a commit
to anweshadas/ansible
that referenced
this pull request
Apr 7, 2026
Add source.json file creation when installing collections via ansible-galaxy. This enables SBOM scanners (like Syft) to generate accurate Package URLs (PURLs) for Ansible collections by recording the installation source. The source.json file is written to the collection directory and contains: - format_version: Schema version (1.0.0) - namespace, name, version: Collection identity - type: Installation source type (galaxy, git, url, file, dir) - repository_url: Galaxy-compatible server URL (for galaxy type) - download_url: Direct artifact URL (for galaxy/url types) - vcs_url: VCS URL with git+ prefix (for git type) Examples: - Galaxy: type=galaxy, repository_url=https://galaxy.ansible.com - Automation Hub: type=galaxy, repository_url=https://console.redhat.com/api/automation-hub/ - Git: type=git, vcs_url=git+https://github.com/org/repo.git@tag - URL: type=url, download_url=https://example.com/collection.tar.gz - Local: type=file or type=dir (no path stored) This change supports the new 'ansible' PURL type being proposed at: package-url/purl-spec#854
anweshadas
added a commit
to anweshadas/ansible
that referenced
this pull request
Apr 7, 2026
Add source.json file creation when installing collections via ansible-galaxy. This enables SBOM scanners (like Syft) to generate accurate Package URLs (PURLs) for Ansible collections by recording the installation source. The source.json file is written to the collection directory and contains: - format_version: Schema version (1.0.0) - namespace, name, version: Collection identity - type: Installation source type (galaxy, git, url, file, dir) - repository_url: Galaxy-compatible server URL (for galaxy type) - download_url: Direct artifact URL (for galaxy/url types) - vcs_url: VCS URL with git+ prefix (for git type) Examples: - Galaxy: type=galaxy, repository_url=https://galaxy.ansible.com - Automation Hub: type=galaxy, repository_url=https://console.redhat.com/api/automation-hub/ - Git: type=git, vcs_url=git+https://github.com/org/repo.git@tag - URL: type=url, download_url=https://example.com/collection.tar.gz - Local: type=file or type=dir (no path stored) This change supports the new 'ansible' PURL type being proposed at: package-url/purl-spec#854
anweshadas
added a commit
to anweshadas/ansible
that referenced
this pull request
Apr 7, 2026
Add source.json file creation when installing collections via ansible-galaxy. This enables SBOM scanners (like Syft) to generate accurate Package URLs (PURLs) for Ansible collections by recording the installation source. The source.json file is written to the collection directory and contains: - format_version: Schema version (1.0.0) - namespace, name, version: Collection identity - type: Installation source type (galaxy, git, url, file, dir) - repository_url: Galaxy-compatible server URL (for galaxy type) - download_url: Direct artifact URL (for galaxy/url types) - vcs_url: VCS URL with git+ prefix (for git type) Examples: - Galaxy: type=galaxy, repository_url=https://galaxy.ansible.com - Automation Hub: type=galaxy, repository_url=https://console.redhat.com/api/automation-hub/ - Git: type=git, vcs_url=git+https://github.com/org/repo.git@tag - URL: type=url, download_url=https://example.com/collection.tar.gz - Local: type=file or type=dir (no path stored) This change supports the new 'ansible' PURL type being proposed at: package-url/purl-spec#854
anweshadas
added a commit
to anweshadas/ansible
that referenced
this pull request
Apr 7, 2026
Add source.json file creation when installing collections via ansible-galaxy. This enables SBOM scanners (like Syft) to generate accurate Package URLs (PURLs) for Ansible collections by recording the installation source. The source.json file is written to the collection directory and contains: - format_version: Schema version (1.0.0) - namespace, name, version: Collection identity - type: Installation source type (galaxy, git, url, file, dir) - repository_url: Galaxy-compatible server URL (for galaxy type) - download_url: Direct artifact URL (for galaxy/url types) - vcs_url: VCS URL with git+ prefix (for git type) Examples: - Galaxy: type=galaxy, repository_url=https://galaxy.ansible.com - Automation Hub: type=galaxy, repository_url=https://console.redhat.com/api/automation-hub/ - Git: type=git, vcs_url=git+https://github.com/org/repo.git@tag - URL: type=url, download_url=https://example.com/collection.tar.gz - Local: type=file or type=dir (no path stored) This change supports the new 'ansible' PURL type being proposed at: package-url/purl-spec#854
anweshadas
added a commit
to anweshadas/ansible
that referenced
this pull request
Apr 7, 2026
Add source.json file creation when installing collections via ansible-galaxy. This enables SBOM scanners (like Syft) to generate accurate Package URLs (PURLs) for Ansible collections by recording the installation source. The source.json file is written to the collection directory and contains: - format_version: Schema version (1.0.0) - namespace, name, version: Collection identity - type: Installation source type (galaxy, git, url, file, dir) - repository_url: Galaxy-compatible server URL (for galaxy type) - download_url: Direct artifact URL (for galaxy/url types) - vcs_url: VCS URL with git+ prefix (for git type) Examples: - Galaxy: type=galaxy, repository_url=https://galaxy.ansible.com - Automation Hub: type=galaxy, repository_url=https://console.redhat.com/api/automation-hub/ - Git: type=git, vcs_url=git+https://github.com/org/repo.git@tag - URL: type=url, download_url=https://example.com/collection.tar.gz - Local: type=file or type=dir (no path stored) This change supports the new 'ansible' PURL type being proposed at: package-url/purl-spec#854
dbrennand
suggested changes
Apr 16, 2026
Use Ansible's native comma syntax for VCS URL version references instead of pip/SPDX @ syntax. ansible-galaxy uses a comma to separate the git ref (e.g., git+https://...repo.git,tag), and the @ sign is treated as part of the URL, causing installs to fail. - Update vcs_url qualifier description and example to use comma separator with real-world community.general collection - Fix download_url example tarball name to match the "custom" namespace - Add collections installing guide to reference_urls
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #853 add new PURL type
ansiblefor identifying Ansible collections.Ansible collections can be installed from multiple sources:
This type definition enables scanners to generate accurate PURLs for Ansible collections in SBOMs and vulnerability databases.
Qualifiers:
A corresponding change to ansible-core will be submitted to write the required metadata during collection installation, enabling scanners to determine the installation source.