The setup wizard is the fastest way from zero to automated SBOMs. It is an interactive terminal UI that configures everything - products, components, OIDC trusted publishing, and the CI workflow file - so you never hand-write YAML or copy a token.
What the wizard does
The setup wizard is an interactive terminal UI built into sbomify-action. It is the recommended way to onboard a repository, because it automates every step that used to be manual:
- Scans your repository for lockfiles across all supported ecosystems (Python, JavaScript, Java, Go, Rust, and more) and proposes one component per lockfile it finds.
- Signs you in to sbomify so it can work against your workspace.
- Picks or creates the product and components your SBOMs will belong to.
- Lets you choose your options: release strategy, SBOM format, enrichment, and attestation.
- Registers OIDC trusted publishing for each component, so your workflow needs no long-lived token secret. See How do I set up OIDC trusted publishing? for how that works.
- Writes a ready-to-commit
.github/workflows/sboms.yml(and an optionalsbomify.jsonfor business metadata), pinned to the latest sbomify-action release.
Commit the generated workflow file and your next push generates, enriches, and uploads an SBOM.
Running it
Run the wizard from the root of your repository with the Docker image. The image bundles every tool the wizard needs, so there is nothing else to install:
docker run --rm -it \
-v "$(pwd):/github/workspace" \
-w /github/workspace \
ghcr.io/sbomify/sbomify-action \
sbomify-action wizard
The -it flags are required because the wizard is interactive, and the volume mount is what lets it write the generated workflow back into your repo. If you prefer not to use Docker, you can also pip install sbomify-action and run sbomify-action wizard directly (sbomify-action init is a backwards-compatible alias). Useful flags:
--dry-run- preview the full plan without making API changes or writing files--repo-root <path>- point at a repository other than the current directory--output-dir <path>- where the workflow is written (must resolve to.github/workflows)
The wizard is designed for interactive use and refuses to run inside CI. It also will not overwrite a hand-authored sboms.yml; it only manages workflows it generated. In CI, you run the workflow file the wizard produced.
When to configure things manually instead
The wizard targets GitHub Actions. If you use GitLab CI, Bitbucket Pipelines, or another CI system, use the Docker image or pip package directly - see our integrations page and CI/CD guide for ready-to-use templates. Everything the wizard configures can also be set up by hand: components in the sbomify app, workflow YAML from the templates.
Further reading
- How do I generate an SBOM? - the broader generation options
- How do I set up OIDC trusted publishing? - tokenless uploads explained
- Zero to Hero - the full onboarding walkthrough