SBOM Generation


A Software Bill of Materials (SBOM) is a list of the components that make up an application or software - open source packages, IaC resources, etc. The list also details the known vulnerabilities of these components and other metadata such as the license details for each package.

Bridgecrew’s SBOM Generation capability allows you to generate an SBOM report by exporting your open source packages found by our open source scanner and image scanner, as well as your IaC resources and findings.
You can generate an SBOM report either as an artifact from a CI/CD pipeline or from the Bridgecrew platform for onboarded repositories.

Supported SBOM formats

Bridgecrew currently supports the export of SBOM reports in two standardized formats – CSV and CycloneDX.

  • CSV is a comma-separated format that displays a line per vulnerability or misconfiguration and a line per resource or package without issues, sorted by groups of open source packages, container images, IaC components, and cloud infrastructure components.
  • CycloneDX output follows the scheme outlined for XML version 1.4.

Generating an SBOM

Generating an SBOM from the Platform

You can access the SBOM Generation wizard from either the Supply Chain page or the Development Pipelines page.


Generating an SBOM from the Supply Chain page


Generating an SBOM from the Development Pipelines page

To generate an SBOM:

  1. Select the repository you would like to include in the report.

  2. Select the output format (CSV or CycloneDX).

  3. Select which resources to include in the SBOM:

    Open-source packages - findings from scans of open source dependencies
    Infrastructure as Code - findings from IaC scans
    Images - packages found in images built or referenced in the repository

Selecting All will either generate three separate files for each resource type if you use CSV format, or a merged file for all resource types if you use CycloneDX.


SBOM modal in the platform

The output of the SBOM reports generated from the platform is identical to those generated from a CI/CD pipeline, as demonstrated in the images below.

Generating an SBOM from a CI/CD pipeline

You can generate an SBOM from your CI/CD pipeline by adding -o cyclonedx or -o csv to the end of your CLI command (for a selected directory or file). For example, the command checkov -d . --bc-api-key BC_API_KEY -o cyclonedx will scan a directory and export the findings in CycloneDX XML format.

SBOM in CSV Format

Generating an SBOM in CSV format from the CI/CD pipeline will generate three separate files:

  • YYYYMMDD-HHMMSS_container_images.csv
  • YYYYMMDD-HHMMSS_oss_packages

Where YYYYMMDD-HHMMSS is the timestamp for when the CSV was generated, for example: 20220801-221830_iac.csv. This file displays the following data for each IaC finding:

  • Resource name
  • Path
  • Git Organization
  • Git Repository
  • Misconfigurations
  • Severity

The list also displays resources without any misconfigurations. In these cases, the fields Misconfigurations and Severity will be empty.


SBOM in CSV format



All findings for open source package vulnerabilities and images, as well as Severities for IaC findings, will be available only to users with an API key and a proper pricing tier.

SBOM in CycloneDX Format

The CycloneDX output is a single file including several main sections:

  • Metadata
  • Components
  • Dependencies
  • Vulnerabilities

The output for each section is demonstrated in the images below.


SBOM output in CycloneDX XML format


Vulnerability finding


Dependency list


Component details