How to create an SBOM

In the evolving landscape of software development and cybersecurity, the importance of creating a Software Bill of Materials (SBOM) has never been more critical. As organizations and developers seek to enhance transparency and security in their software supply chain, understanding how to generate an SBOM efficiently becomes a foundational step. This article serves as a comprehensive guide on how to create, generate, and build an SBOM, ensuring that you’re equipped with the knowledge to improve your software’s integrity and trustworthiness. By detailing the process of generating an SBOM, we aim to empower developers and organizations alike to take proactive steps in securing their software ecosystems against vulnerabilities and threats.

Using Docker

If you are using a recent version of Docker Engine, you can generate an SBOM directly from the the docker command. While this feature is still flagged as experimental, it is indeed supported out of the box.

To do this, simply run:

$ docker sbom \
    –format spdx-json \
    nginx:latest > docker-sbom.json

This will generate a file called docker-sbom.json, which is an SBOM for the nginx:latest docker image in your current directory. In this example, we’re using the SPDX SBOM format, but other formats are supported, including:

  • syft-json
  • cyclonedx-xml
  • cyclonedx-json
  • github-0-json
  • spdx-tag-value
  • pdx-json
  • table
  • text

The default value is table.

Using GitHub

GitHub also supports generating SBOM in a few way:

  • Using the GitHub Command Line Interface
  • Using the Export feature in Dependency Graph
  • Using the RESTful API

Note that GitHub currently only allows you to export SBOMs in the SPDX format.

Using the Command Line Interface

To enable the SBOM feature in the GitHub CLI, you need to first install the SBOM extension:

$ gh ext install advanced-security/gh-sbom

With the extension installed, you can generate an SBOM directly from your terminal using the gh sbom command. To use this, simply jump into the GitHub repository you want to generate an SBOM for, and then run:

$ gh sbom > my-sbom.json

This will generate a file called my-sbom.json in your current working directory.

There’s also a GitHub Actions workflow available that allows you to build the SBOM during your CI/CD run.

Using Dependency Graph

Navigate to your GitHub repository in your browser. Then go to:

  • Insights
  • Dependency Graph
  • Export SBOM

Using the RESTful API

GitHub exposes the same functionality using this RESTful API.

Leave a Reply

Your email address will not be published. Required fields are marked *