sbomify logo

Integrations

Seamlessly integrate SBOM generation, analysis, and enrichment into your existing workflow.

CI/CD & Generation

Generate SBOMs automatically in your pipelines. We support all major CI/CD providers.

GitHub
View on Marketplace →

GitHub is at the core of many organizations. Our GitHub Action makes integration straightforward. 

- name: Upload SBOM
  uses: sbomify/github-action@master
  env:
    TOKEN: $
    COMPONENT_ID: 'my-component-id'
    LOCK_FILE: 'requirements.txt'
    COMPONENT_NAME: 'my-awesome-app'
    COMPONENT_VERSION: $
    AUGMENT: true
    ENRICH: true
GitLab View Pipeline →

For GitLab users, we provide a dedicated pipeline template. 

generate-sbom:
  image: sbomifyhub/sbomify-action
  variables:
    TOKEN: $SBOMIFY_TOKEN
    COMPONENT_ID: 'Your Component ID'
    UPLOAD: true
    AUGMENT: true
    ENRICH: true
    COMPONENT_NAME: 'my-python-app'
    COMPONENT_VERSION: $CI_COMMIT_SHA
    LOCK_FILE: 'poetry.lock'
    OUTPUT_FILE: test-sbom.cdx.json"
  script:
    - /sbomify.sh
Bitbucket View Pipe →

Seamlessly integrate with Bitbucket Pipelines using our official pipe. 

- step:
    name: Build SBOM
    script:
      - pipe: docker://sbomifyhub/sbomify-action:latest
        variables:
          TOKEN: $SBOMIFY_TOKEN
          COMPONENT_ID: "Your Component ID"
          UPLOAD: "true"
          AUGMENT: "true"
          ENRICH: "true"
          COMPONENT_NAME: "my-python-app"
          COMPONENT_VERSION: $BITBUCKET_COMMIT
          LOCK_FILE: "poetry.lock"
          OUTPUT_FILE: "bitbucket-sbom.cdx.json"
Docker Universal Support

For any other CI/CD system, you can use our Docker image directly. 

docker run --rm \
  -v $(pwd):/code \
  -e TOKEN=<my token> \
  -e COMPONENT_ID=<my component id> \
  -e LOCK_FILE=/code/requirements.txt \
  -e COMPONENT_NAME=my-app \
  sbomifyhub/sbomify-action

Vulnerability Analysis

Comprehensive scanning powered by industry-leading databases.

Google OSV

Google OSV

We integrate with the Open Source Vulnerability (OSV) database to provide precise, distributed vulnerability intelligence across a wide range of ecosystems.

Dependency Track

Dependency Track

Leverage the power of OWASP Dependency-Track for continuous component analysis.

Enterprise

Bring Your Own: Enterprise customers can connect their existing Dependency Track instance for unified visibility.

Enrichment

Add context to your artifacts automatically.

Ecosyste.ms

Ecosyste.ms

We partner with Ecosyste.ms to enrich your SBOMs with metadata, licensing information, and project health metrics.

How it works: Enrichment happens automatically when using our GitHub Action module.

ENRICH: true