sbomify logo

How do I generate an SBOM?

TL;DR

The easiest way is with sbomify-action, which generates, enriches, and uploads SBOMs from your lockfiles or Docker images in CI/CD. You can also use standalone tools like Syft or Trivy.

The sbomify-action is a CI/CD tool that generates, augments, enriches, and uploads SBOMs from your lockfiles or Docker images. It works as a GitHub Action, Docker image, or pip package, and includes SBOM generators (Trivy, Syft, cdxgen) pre-installed.

- uses: sbomify/sbomify-action@master
  env:
    LOCK_FILE: requirements.txt
    OUTPUT_FILE: sbom.cdx.json
    ENRICH: true

sbomify-action supports Python, Node, Rust, Go, Ruby, Dart, C++, Docker images, and Yocto/OpenEmbedded builds. It outputs both CycloneDX and SPDX formats.

Beyond basic generation, sbomify-action can:

  • Enrich SBOMs with metadata from package registries (PyPI, npm, crates.io, etc.)
  • Augment with business metadata (supplier, authors, licenses, lifecycle phase)
  • Inject additional packages not in lockfiles (vendored code, system libraries)
  • Upload to sbomify for collaboration and vulnerability management
  • Attest with GitHub’s build provenance

It also works with GitLab CI and Bitbucket Pipelines. See our CI/CD integration guide for details.

Using Docker directly

The sbomify-action Docker image can be used standalone, without any CI platform:

docker run --rm \
  -v $(pwd):/github/workspace \
  -w /github/workspace \
  -e LOCK_FILE=/github/workspace/requirements.txt \
  -e OUTPUT_FILE=/github/workspace/sbom.cdx.json \
  -e UPLOAD=false \
  -e ENRICH=true \
  sbomifyhub/sbomify-action

This is useful for local development, scripted workflows, or CI systems that don’t have a native sbomify-action integration.

Standalone tools

If you prefer standalone tools outside of CI/CD, Syft and Trivy are popular options:

# Using Syft
syft . -o cyclonedx-json > sbom.cdx.json

# Using Trivy
trivy fs . --format cyclonedx --output sbom.cdx.json

For language-specific generators, see our language guides covering Python, JavaScript, Java, Go, Rust, Docker, and more.

See it in action

Watch our FOSDEM 2026 talk for a real-world walkthrough of CRA-ready SBOM generation using sbomify-action:

Next steps

Once you have your SBOM, upload it to sbomify to monitor for vulnerabilities, track compliance, and share it with customers through your Trust Center.

← All FAQ Try sbomify Free