Usage

Either use curl to upload a local SBOM file (json) or drop the SBOM file below:

curl -T someSBOM.json https://sbom.sh

Drop your SBOM file (SPDX or CycloneDX JSON)

Visualize components, vulnerabilities, quality and risk. Full component and vulnerability search.

OR

Generate a SBOM of this container image (public Dockerhub registry only)

Generate a SBOM from this public GitHub

Check out this SBOM example:

https://sbom.sh/78389675-0358-46e5-81c7-04186dbfb8a8

SBOM.sh API (Swagger API Description)

https://sbom.sh/swagger

Use the all-in-one SBOM.sh container image

Take advantage of the sbom.sh container image to generate, upload and share SBOMs (no local install required, no update required). Check out these examples:

Local repository using trivy

docker run -v $(pwd):/app codenotary/sbom.sh trivyfs

Container image using trivy, i.e., Postgres

docker run codenotary/sbom.sh trivyimage postgres

Container image using syft

docker run codenotary/sbom.sh syftimage postgres

Container image using grype

docker run codenotary/sbom.sh grypeimage postgres

Create an SBOM and share it

You can effortlessly create and share an SBOM using SBOM.sh in one step. Check out these examples::

To retrieve the SBOM data, you can use the curl command as below using your unique URL:

curl https://sbom.sh/78389675-0358-46e5-81c7-04186dbfb8a8

Local repository using trivy

trivy fs . -f cyclonedx -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Container image using trivy, i. e. Postgres

trivy image postgres -f cyclonedx --scanners vuln -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Container image using syft

syft registry:docker.io/postgres -o cyclonedx-json -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Container image using grype

grype registry:docker.io/postgres -o cyclonedx-json -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Use GitHub dependency graph dependency graph

curl -sL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer YOUR-TOKEN" \
https://api.github.com/repos/codenotary/immudb/dependency-graph/sbom | curl -d @- https://sbom.sh -H "Content-Type: application/json"

SBOM.sh container and repository SBOM generation & sharing + vulnerability scan using Grype, Syft or Trivy provided as a GitHub Action

This GitHub Action integrates with sbom.sh to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the codenotary/sbom.sh container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft:

To use this action, add the following to your .github/workflows directory in a file like sbom-analysis.yml:

                    
name: "Generate and Upload SBOM"
on: [push, pull_request, workflow_dispatch]

jobs:
generate_sbom:
  runs-on: ubuntu-latest
  name: "SBOM Generation"
  steps:
    - name: Checkout Repository
      uses: actions/checkout@v4
    
    - name: Generate SBOM
      id: sbom_generation
      uses: codenotary/sbom.sh-create@main
      with:
        scan_type: 'grypefs'
        target: '.' # Assuming you want to scan the entire repository

    - name: Output SBOM URL
      run: echo "The SBOM can be found at $SBOM_SHARE_URL"
                    
                  

Acceptable Use Policy

Please do not post any information that may violate the law (login/password lists, email lists, personal information). IP addresses are logged, so you might get banned.

Life span of a single SBOM for anonymous user is one month and then it is deleted.

For registered users (click the GitHub logo top right) is currently not limited.