A Software Bill of Materials (SBOM) is a list of the components that make up an application or software - open source packages, IaC resources, etc. The list also details the known vulnerabilities of these components and other metadata such as the license details for each package.
Bridgecrew’s SBOM Generation capability allows you to generate an SBOM report by exporting your open source packages found by our open source scanner and image scanner, as well as your IaC resources and findings.
You can generate an SBOM report either as an artifact from a CI/CD pipeline or from the Bridgecrew platform for onboarded repositories.
Bridgecrew currently supports the export of SBOM reports in two standardized formats – CSV and CycloneDX.
- CSV is a comma-separated format that displays a line per vulnerability or misconfiguration and a line per resource or package without issues, sorted by groups of open source packages, container images, IaC components, and cloud infrastructure components.
- CycloneDX output follows the scheme outlined for XML version 1.4.
To generate an SBOM:
Select the repository you would like to include in the report.
Select the output format (CSV or CycloneDX).
Select which resources to include in the SBOM:
Open-source packages - findings from scans of open source dependencies
Infrastructure as Code - findings from IaC scans
Images - packages found in images built or referenced in the repository
Selecting All will either generate three separate files for each resource type if you use CSV format, or a merged file for all resource types if you use CycloneDX.
The output of the SBOM reports generated from the platform is identical to those generated from a CI/CD pipeline, as demonstrated in the images below.
You can generate an SBOM from your CI/CD pipeline by adding
-o cyclonedx or
-o csv to the end of your CLI command (for a selected directory or file). For example, the command
checkov -d . --bc-api-key BC_API_KEY -o cyclonedx will scan a directory and export the findings in CycloneDX XML format.
Generating an SBOM in CSV format from the CI/CD pipeline will generate three separate files:
YYYYMMDD-HHMMSS is the timestamp for when the CSV was generated, for example:
20220801-221830_iac.csv. This file displays the following data for each IaC finding:
- Resource name
- Git Organization
- Git Repository
The list also displays resources without any misconfigurations. In these cases, the fields Misconfigurations and Severity will be empty.
All findings for open source package vulnerabilities and images, as well as Severities for IaC findings, will be available only to users with an API key and a proper pricing tier.
The CycloneDX output is a single file including several main sections:
The output for each section is demonstrated in the images below.
Updated 11 days ago