Skip to main content

Generate an SBOM with the SCA agent

You can generate a Software Bill of Materials (SBOM) for your open-source code using the Veracode SCA agent. The SCA agent CLI enables developers to generate and export SBOMs as part of each pipeline scan.

Use this feature to support compliance, audit, and security requirements by gaining visibility into dependencies, vulnerabilities, and licenses throughout the Software Development Life Cycle (SDLC).

Before you begin:

  • Ensure you have installed the Veracode SCA agent on your system.
  • Ensure you have access to the source repository (Git URL) you want to scan.
  • If you want to export the SBOM files, ensure that you have write permissions to the output directory.

To complete this task:

From the command prompt, run the SBOM command with appropriate parameters:

srcclr scan <target> --sbom <sbom-schema> [--output=<file-path>] [--json]

Parameters:

  • target: Specify the local path or Git URL to scan.
  • sbom-schema: Specify the SBOM format identifier for the output. For supported formats, see supported SBOM formats.
  • file-path (optional): Specify the file path where the SBOM output should be saved.
  • --json (optional): Export the scan results and SBOM in raw JSON format.

By default, the SBOM is displayed in the terminal. To write the SBOM content to a file, use the --output option.

Supported SBOM formats

The SCA agent supports the following SBOM formats:

DescriptionFormat Identifier
CycloneDX 1.6 formatcyclonedx1.6+json
SPDX 2.3 formatspdx2.3+json

Examples

  • Generate an SBOM:

    srcclr scan --url https://example.com/ruby-repo --sbom spdx2.3+json
    srcclr scan --url https://example.com/ruby-repo --sbom cyclonedx1.6+json
  • Generate an SBOM and export SBOM it to a file:

    srcclr scan --url https://example.com/ruby-repo --sbom spdx2.3+json --output sbom_ruby_output.json
    srcclr scan --url https://example.com/ruby-repo --sbom cyclonedx1.6+json --output sbom_ruby_output.json