curl -T someSBOM.json https://sbom.sh
You can effortlessly create and share an SBOM using SBOM.sh in one step. Check out these examples::
Container image using trivy, i. e. Postgres
trivy image postgres -f cyclonedx --scanners vuln -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"
Container image using syft
syft registry:docker.io/postgres -o cyclonedx-json -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"
Container image using grype
grype registry:docker.io/postgres -o cyclonedx-json -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"
Use GitHub dependency graph dependency graph
curl -sL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer YOUR-TOKEN" \
https://api.github.com/repos/codenotary/immudb/dependency-graph/sbom | curl -d @- https://sbom.sh -H "Content-Type: application/json"
This GitHub Action integrates with sbom.sh to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the codenotary/sbom.sh container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft:
To use this action, add the following to your .github/workflows directory in a file like sbom-analysis.yml:
name: "Generate and Upload SBOM"
on: [push, pull_request, workflow_dispatch]
jobs:
generate_sbom:
runs-on: ubuntu-latest
name: "SBOM Generation"
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Generate SBOM
id: sbom_generation
uses: codenotary/sbom.sh-create@main
with:
scan_type: 'grypefs'
target: '.' # Assuming you want to scan the entire repository
- name: Output SBOM URL
run: echo "The SBOM can be found at $SBOM_SHARE_URL"
Take advantage of the sbom.sh container image to generate, upload and share SBOMs (no local install required, no update required). Check out these examples:
Local repository using trivy
docker run -v $(pwd):/app codenotary/sbom.sh trivyfs
Container image using trivy, i.e., Postgres
docker run codenotary/sbom.sh trivyimage postgres
Container image using grype
docker run codenotary/sbom.sh grypeimage postgres