sbomify logo

Integrations

Seamlessly integrate SBOM generation, analysis, and enrichment into your existing workflow.

CI/CD & Generation

Generate SBOMs automatically in your pipelines. We support all major CI/CD providers.

GitHub
View on Marketplace →

GitHub is at the core of many organizations. Our GitHub Action makes integration straightforward.

- name: Upload SBOM
  uses: sbomify/sbomify-action@master
  env:
    TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
    COMPONENT_ID: 'my-component-id'
    LOCK_FILE: 'requirements.txt'
    COMPONENT_NAME: 'my-awesome-app'
    COMPONENT_VERSION: ${{ github.ref_name }}
    AUGMENT: true
    ENRICH: true
GitLab View on GitHub →

Use our Docker image directly in GitLab CI with built-in caching support.

generate-sbom:
  image: sbomifyhub/sbomify-action
  cache:
    key: sbomify-cache
    paths:
      - .sbomify-cache/
  variables:
    SBOMIFY_CACHE_DIR: "${CI_PROJECT_DIR}/.sbomify-cache/sbomify"
    TRIVY_CACHE_DIR: "${CI_PROJECT_DIR}/.sbomify-cache/trivy"
    SYFT_CACHE_DIR: "${CI_PROJECT_DIR}/.sbomify-cache/syft"
    LOCK_FILE: poetry.lock
    OUTPUT_FILE: sbom.cdx.json
    UPLOAD: "false"
    ENRICH: "true"
  script:
    - sbomify-action
Bitbucket View on GitHub →

Seamlessly integrate with Bitbucket Pipelines using our Docker image with built-in caching.

pipelines:
  default:
    - step:
        caches:
          - sbomify
        script:
          - pipe: docker://sbomifyhub/sbomify-action:latest
            variables:
              SBOMIFY_CACHE_DIR: "${BITBUCKET_CLONE_DIR}/.sbomify-cache/sbomify"
              TRIVY_CACHE_DIR: "${BITBUCKET_CLONE_DIR}/.sbomify-cache/trivy"
              SYFT_CACHE_DIR: "${BITBUCKET_CLONE_DIR}/.sbomify-cache/syft"
              LOCK_FILE: poetry.lock
              OUTPUT_FILE: sbom.cdx.json
              UPLOAD: "false"
              ENRICH: "true"

definitions:
  caches:
    sbomify: .sbomify-cache
Docker View on Docker Hub →

For any other CI/CD system, use our Docker image directly. All generators are pre-installed.

# Create persistent cache volume
docker volume create sbomify-cache

docker run --rm \
  -v $(pwd):/github/workspace \
  -v sbomify-cache:/cache \
  -w /github/workspace \
  -e SBOMIFY_CACHE_DIR=/cache/sbomify \
  -e TRIVY_CACHE_DIR=/cache/trivy \
  -e SYFT_CACHE_DIR=/cache/syft \
  -e LOCK_FILE=/github/workspace/requirements.txt \
  -e OUTPUT_FILE=/github/workspace/sbom.cdx.json \
  -e UPLOAD=false \
  -e ENRICH=true \
  sbomifyhub/sbomify-action
pip / CLI View on PyPI →

Install via pip for local development or non-Docker environments. Requires external generators (Trivy, Syft, or cdxgen) to be installed separately.

pip install sbomify-action

# CLI usage
sbomify-action --lock-file requirements.txt \
  --enrich --no-upload -o sbom.cdx.json

# Or use environment variables
export LOCK_FILE=requirements.txt
export ENRICH=true
export UPLOAD=false
sbomify-action

Supported Ecosystems

Generate SBOMs from lockfiles across 14 languages, plus Docker images and Yocto/OpenEmbedded builds.

Python

requirements.txt poetry.lock Pipfile.lock uv.lock pyproject.toml

JavaScript

package.json package-lock.json yarn.lock pnpm-lock.yaml bun.lock

Java

pom.xml build.gradle build.gradle.kts gradle.lockfile

Go

go.mod go.sum

Rust

Cargo.lock

Ruby

Gemfile.lock

PHP

composer.json composer.lock

.NET / C#

packages.lock.json

Swift

Package.swift Package.resolved

Dart

pubspec.lock

Elixir

mix.lock

Scala

build.sbt

C++

conan.lock

Terraform

.terraform.lock.hcl

Docker Images

Generate SBOMs directly from container images using DOCKER_IMAGE instead of a lockfile. Scans all layers and installed packages.

Yocto / OpenEmbedded

Batch process SPDX SBOMs from Yocto builds. Extracts .spdx.tar.zst archives, uploads package SBOMs, and tags them with a product release.

SBOM Generators

Five generators with automatic fallback. The best tool for each ecosystem is selected automatically.

cyclonedx-py

Priority 10

Native Python generator. Most accurate for Python ecosystems.

Python

cargo-cyclonedx

Priority 10

Native Rust generator. Most accurate for Rust ecosystems.

Rust

cdxgen

Priority 20

Broadest ecosystem support. Best choice for Java/Gradle and multi-language projects.

Python JS Java Go Rust Ruby +8 more

Trivy

Priority 30

Security-focused scanner by Aqua Security. Supports CycloneDX and SPDX output.

Python JS Java Go Docker +5 more

Syft

Priority 35

Comprehensive scanner by Anchore. Supports CycloneDX and SPDX output including Terraform.

Python JS Go Terraform Docker +7 more

CycloneDX

Default format. Versions 1.3 through 1.7 supported depending on generator.

SBOM_FORMAT=cyclonedx

SPDX

Versions 2.2 and 2.3 via Trivy or Syft, plus 3.0 via Yocto/OpenEmbedded. Validated against JSON schemas.

SBOM_FORMAT=spdx

Vulnerability Analysis

Comprehensive scanning powered by industry-leading databases.

Google OSV

Google OSV

We integrate with the Open Source Vulnerability (OSV) database to provide precise, distributed vulnerability intelligence across a wide range of ecosystems.

Dependency Track

Dependency Track

Leverage the power of OWASP Dependency-Track for continuous component analysis. Upload SBOMs directly from CI/CD with UPLOAD_DESTINATIONS=dependency-track.

CI/CD

Direct Upload: sbomify-action can upload SBOMs directly to your Dependency Track instance from any CI pipeline.

Enterprise

Bring Your Own: Enterprise customers can connect their existing Dependency Track instance for unified visibility.

Enrichment Data Sources

We integrate with 12 data sources to add metadata to your SBOM components: descriptions, licenses, supplier information, and more.

Pre-computed Databases (Fastest)

Local data with zero network latency. Checked first for maximum performance.

LicenseDB

Pre-computed license database covering 28 Linux distro versions. Provides authoritative license data for APK, DEB, and RPM packages.

pkg:apk/* pkg:deb/* pkg:rpm/*

Lifecycle Database

CLE lifecycle dates (release, end-of-support, end-of-life) for major runtimes and frameworks following ECMA-428.

Python PHP Go Rust Django Rails +more

Native Package Registries

Authoritative data direct from the ecosystem's official source.

PyPI

Python Package Index

pkg:pypi/*

crates.io

Rust Package Registry

pkg:cargo/*

pub.dev

Dart/Flutter Packages

pkg:pub/*

Debian Sources

Debian Package Archive

pkg:deb/debian/*

Conan Center

C/C++ (Conan)

pkg:conan/*

Package Aggregators

Multi-ecosystem services providing broad coverage.

deps.dev

Google

Open source dependency insights from Google. Covers most major ecosystems.

Ecosyste.ms

Community-driven package metadata and project health metrics across ecosystems.

Fallback Sources

Additional coverage when primary sources do not have data.

PURL Extraction

Local extraction from package URLs. Maps namespaces to suppliers without API calls.

ClearlyDefined

Community-curated license and metadata for open source components.

Repology

Cross-distribution package tracking for Linux packages.

How it works: Enrichment happens automatically when using our GitHub Action or CLI with the enrich flag.

ENRICH=true or --enrich

Augmentation Providers

Add organizational metadata to your SBOM: supplier info, manufacturer details, VCS context, and more.

sbomify API

Pull organizational metadata from your sbomify workspace: supplier, manufacturer, authors, and declared license.

Local Config

Override metadata via sbomify.json in your repository for supplier, authors, license, and VCS info.

CI/CD Auto-Detection

Automatically detects VCS URL, commit SHA, and branch from GitHub Actions, GitLab CI, and Bitbucket Pipelines environment variables.

Fields Added

Supplier, manufacturer, authors, license, lifecycle phase, repository URL, commit SHA, branch/ref.

How it works: Augmentation pulls metadata from sbomify and your CI environment.

AUGMENT=true or --augment