Deriving value and insights from your SBOM

Usage

Either use curl to upload a local SBOM file (json) or drop the SBOM file below:

curl -T someSBOM.json https://sbom.sh

Drop your SBOM file (SPDX or CycloneDX JSON)

Visualize components, vulnerabilities, quality and risk. Full component and vulnerability search.

OR

Generate a SBOM of this container image (public registry only)

Generate a SBOM from this public GitHub

Check out this SBOM example:

https://sbom.sh/78389675-0358-46e5-81c7-04186dbfb8a8

Create an SBOM and share it

You can effortlessly create and share an SBOM using SBOM.sh in one step. Check out these examples::

Container image using trivy, i. e. Postgres

trivy image postgres -f cyclonedx --scanners vuln -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Container image using syft

syft registry:docker.io/postgres -o cyclonedx-json -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Container image using grype

grype registry:docker.io/postgres -o cyclonedx-json -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Use GitHub dependency graph dependency graph

curl -sL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer YOUR-TOKEN" \
https://api.github.com/repos/codenotary/immudb/dependency-graph/sbom | curl -d @- https://sbom.sh -H "Content-Type: application/json"

SBOM.sh container and repository SBOM generation & sharing + vulnerability scan using Grype, Syft or Trivy provided as a GitHub Action

This GitHub Action integrates with sbom.sh to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the codenotary/sbom.sh container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft:

To use this action, add the following to your .github/workflows directory in a file like sbom-analysis.yml:

                    
name: "Generate and Upload SBOM"
on: [push, pull_request, workflow_dispatch]

jobs:
generate_sbom:
  runs-on: ubuntu-latest
  name: "SBOM Generation"
  steps:
    - name: Checkout Repository
      uses: actions/checkout@v4
    
    - name: Generate SBOM
      id: sbom_generation
      uses: codenotary/sbom.sh-create@main
      with:
        scan_type: 'grypefs'
        target: '.' # Assuming you want to scan the entire repository

    - name: Output SBOM URL
      run: echo "The SBOM can be found at $SBOM_SHARE_URL"

Use the all-in-one SBOM.sh container image

Take advantage of the sbom.sh container image to generate, upload and share SBOMs (no local install required, no update required). Check out these examples:

Local repository using trivy

docker run -v $(pwd):/app codenotary/sbom.sh trivyfs

Container image using trivy, i.e., Postgres

docker run codenotary/sbom.sh trivyimage postgres

Container image using grype

docker run codenotary/sbom.sh grypeimage postgres