Usage

Either use curl to upload a local SBOM file (json) or drop the SBOM file below:

curl -T someSBOM.json https://sbom.sh

Drop your SBOM file (SPDX or CycloneDX JSON)

Visualize components, vulnerabilities, quality and risk. Full component and vulnerability search.

OR

Generate a SBOM of this container image (public Dockerhub registry only)

Generate a SBOM from this public GitHub

Check out this SBOM example:

https://sbom.sh/78389675-0358-46e5-81c7-04186dbfb8a8

SBOM.sh API (Swagger API Description)

https://sbom.sh/swagger

Use the all-in-one SBOM.sh container image

Take advantage of the sbom.sh container image to generate, upload and share SBOMs (no local install required, no update required). Check out these examples:

Local repository using trivy

docker run -v $(pwd):/app codenotary/sbom.sh trivyfs

Container image using trivy, i.e., Postgres

docker run codenotary/sbom.sh trivyimage postgres

Container image using syft

docker run codenotary/sbom.sh syftimage postgres

Container image using grype

docker run codenotary/sbom.sh grypeimage postgres

Create an SBOM and share it

You can effortlessly create and share an SBOM using SBOM.sh in one step. Check out these examples::

To retrieve the SBOM data, you can use the curl command as below using your unique URL:

curl https://sbom.sh/78389675-0358-46e5-81c7-04186dbfb8a8

Local repository using trivy

trivy fs . -f cyclonedx -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Container image using trivy, i. e. Postgres

trivy image postgres -f cyclonedx --scanners vuln -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Container image using syft

syft registry:docker.io/postgres -o cyclonedx-json -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Container image using grype

grype registry:docker.io/postgres -o cyclonedx-json -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Use GitHub dependency graph dependency graph

curl -sL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer YOUR-TOKEN" \
https://api.github.com/repos/codenotary/immudb/dependency-graph/sbom | curl -d @- https://sbom.sh -H "Content-Type: application/json"

SBOM.sh container and repository SBOM generation & sharing + vulnerability scan using Grype, Syft or Trivy provided as a GitHub Action

This GitHub Action integrates with sbom.sh to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the codenotary/sbom.sh container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft:

To use this action, add the following to your .github/workflows directory in a file like sbom-analysis.yml:

                    
name: "Generate and Upload SBOM"
on: [push, pull_request, workflow_dispatch]

jobs:
generate_sbom:
  runs-on: ubuntu-latest
  name: "SBOM Generation"
  steps:
    - name: Checkout Repository
      uses: actions/checkout@v4
    
    - name: Generate SBOM
      id: sbom_generation
      uses: codenotary/sbom.sh-create@main
      with:
        scan_type: 'grypefs'
        target: '.' # Assuming you want to scan the entire repository

    - name: Output SBOM URL
      run: echo "The SBOM can be found at $SBOM_SHARE_URL"
                    
                  

Open Source tool stack used

Open Source Tool Functionality Current Version
trivy SBOM generation, vulnerability scan 0.50.1
grype SBOM generation, vulnerability scan 0.74.7
sbomqs SBOM quality Score 0.0.30

Acceptable Use Policy

Please do not post any information that may violate the law (login/password lists, email lists, personal information). IP addresses are logged, so you might get banned.

Life span of a single SBOM for anonymous user is one month and then it is deleted.

For registered users (click the GitHub logo top right) is unlimited.