Generates a Software Bill of Materials as part of a Bitbucket Pipeline for various project types

ShiftSBOMGen

SonarQube Cloud

Bugs Code Smells Duplicated Lines (%)

Build Badge GitHub release (latest by date)

ShiftSBOMGen is a pure client-side Bitbucket Pipe that generates a Software Bill of Materials (SBOM). ShiftSBOMGen supports both CycloneDX & SPDX Standards and supports a wide range of ecosystems and container types. No subscriptions, server access, or API keys are required to use this Pipe

The official copy this project is hosted on Bitbucket. In order to reach a diverse audience a copy of the repo also exists in GitHub. Pull Requests should be submitted to the to the Bitbucket reposiotry and changes will be kept in sync.

Usage

Basic Usage to generate a SBOM for your current project via a Bitbucket Pipe. This example will generate a spdx-json SBOM and store it in a file named spdx_sbom.json. The output will be archived to further processing.

pipelines:
  default:
    - step:
        name: Build and Test
        caches:
          - node
        script:
          - npm install
          - npm test
    - step:
        name: Generate SBOM
        caches:
          - node
        script:
          - pipe: docker://ccideas/syft-bitbucket-pipe:1.2.0
            variables:
              SYFT_CMD_ARGS: '. --output spdx-json=spdx-sbom.json'
        artifacts:
          - spdx-sbom.json

Variables

VariableUsageOptionsRequired
SYFT_CMD_ARGSUsed to pass in any syft argstrue

Examples

Scan your current repo and generate a CycloneDX JSON Formatted SBOM

SYFT_CMD_ARGS: '. --output cyclonedx-json=sbom-cyclonedx.json'

Scan your current repo and generate a SPDX JSON Formatted SBOM

SYFT_CMD_ARGS: '. --output spdx-json=sbom-spdx.json'

Scan a jar file and generate a SPDX JSON Formatted SBOM

SYFT_CMD_ARGS: '<PATH_TO_JAR_FILE> --output spdx-json=sbom-spdx.json'

Scan an archived docker image and generate a SPDX JSON Formatted SBOM

SYFT_CMD_ARGS: '<PATH_TO_DOCKER_IMAGE_ARCHIVE> --output spdx-json=sbom-spdx.json'

You can build your SYFT_CMD_ARGS string by reviewing the options available to you via the syft --help command.

Support

If you’d like help with this pipe, or you have an issue, or a feature request, let us know.

If you are reporting an issue, please include:

  • the version of the pipe
  • relevant logs and error messages
  • steps to reproduce

Credits

This Bitbucket pipe is a collection and integration of the following open source tools

A big thank-you to the teams and volunteers who make these amazing tools available