sbomify logo

How to create an SBOM

By Viktor > 07 APR, 2024

In the evolving landscape of software development and cybersecurity, the importance of creating a Software Bill of Materials (SBOM) has never been more critical. As organizations and developers seek to enhance transparency and security in their software supply chain, understanding how to generate an SBOM efficiently becomes a foundational step. This article serves as a comprehensive guide on how to create, generate, and build an SBOM, ensuring that you’re equipped with the knowledge to improve your software’s integrity and trustworthiness. By detailing the process of generating an SBOM, we aim to empower developers and organizations alike to take proactive steps in securing their software ecosystems against vulnerabilities and threats.

Using Docker

If you are using a recent version of Docker Engine, you can generate an SBOM directly from the docker command. While this feature is still flagged as experimental, it is indeed supported out of the box.

To do this, simply run:

$ docker sbom \
    –-format spdx-json \
    nginx:latest > docker-sbom.json

This will generate a file called docker-sbom.json, which is an SBOM for the nginx:latest docker image in your current directory. In this example, we’re using the SPDX SBOM format, but other formats are supported, including:

  • syft-json
  • cyclonedx-xml
  • cyclonedx-json
  • github-0-json
  • spdx-tag-value
  • pdx-json
  • table
  • text

The default value is table.

Using GitHub

GitHub also supports generating SBOM in a few ways:

  • Using the GitHub Command Line Interface
  • Using the Export feature in Dependency Graph
  • Using the RESTful API

Note that GitHub currently only allows you to export SBOMs in the SPDX format.

Using the Command Line Interface

To enable the SBOM feature in the GitHub CLI, you need to first install the SBOM extension:

$ gh ext install advanced-security/gh-sbom

With the extension installed, you can generate an SBOM directly from your terminal using the gh sbom command. To use this, simply jump into the GitHub repository you want to generate an SBOM for, and then run:

$ gh sbom > my-sbom.json

This will generate a file called my-sbom.json in your current working directory.

There’s also a GitHub Actions workflow available that allows you to build the SBOM during your CI/CD run.

Using Dependency Graph

Navigate to your GitHub repository in your browser. Then go to:

  • Insights
  • Dependency Graph
  • Export SBOM

Using the RESTful API

GitHub exposes the same functionality using this RESTful API.

Found an error or typo? File PR against this file.
> Blog

Recent Posts

How to generate an SBOM from a Docker container

A lot of people are asking about how one can generate an SBOM based on a Docker container. It seems to be a good idea, since a lot...

By Viktor // Sep 20. 2024

Introducing sbomify: Revolutionizing SBOM Management

We’re excited to announce the launch of sbomify, a platform designed to transform how businesses manage and share Software Bill of Materials (SBOMs). Our journey to create sbomify...

By Viktor // Aug 29. 2024

Exploring the Future of Software Security: Join Us at BSides Bristol

This weekend marks an exciting event for the cybersecurity community — BSides Bristol is officially kicking off! We’re thrilled to be a part of this dynamic conference, where...

By Viktor // Aug 26. 2024