Skip to main content

Create and scan SBOMs

Use Veracode Software Composition Analysis (SCA) to create and scan software bills of materials (SBOMs) that you can assist your organization with supply chain management.

Create an SBOM with the REST API

See Create an SBOM using the REST API. This API uses an SCA agent.

Create an SBOM with the SCA agent

You can generate a Software Bill of Materials (SBOM) for your open-source code using the SCA Agent-based Scan. The SCA agent CLI enables developers to generate and export SBOMs as part of each pipeline scan.

Use this feature to support compliance, audit, and security requirements by gaining visibility into dependencies, vulnerabilities, and licenses throughout the Software Development Life Cycle (SDLC).

Before you begin:

  • Ensure you have set up a Veracode SCA agent on your system.
  • Ensure you have access to the source repository (Git URL) you want to scan.
  • If you want to export the SBOM files, ensure that you have write permissions to the output directory.

To complete this task:

From the command prompt, run the sbom command with appropriate parameters:

srcclr scan <target> --sbom <sbom-schema> [--output=<file-path>] [--json]

Parameters

  • target: Specify the local path or Git URL to scan.
  • sbom-schema: Specify the SBOM format identifier for the output. For supported formats, see supported SBOM formats.
  • file-path (optional): Specify the file path where the SBOM output should be saved.
  • --json (optional): Export the scan results and SBOM in raw JSON format.

By default, the SBOM is displayed in the terminal. To write the SBOM content to a file, use the --output option.

Supported SBOM formats

The SCA agent supports the following SBOM formats:

DescriptionFormat Identifier
CycloneDX 1.6 formatcyclonedx1.6+json
SPDX 2.3 formatspdx2.3+json

Examples

  • Generate an SBOM:

    srcclr scan --url https://example.com/ruby-repo --sbom spdx2.3+json
    srcclr scan --url https://example.com/ruby-repo --sbom cyclonedx1.6+json

  • Generate an SBOM and export it to a file:

    srcclr scan --url https://example.com/ruby-repo --sbom spdx2.3+json --output sbom_ruby_output.json
    srcclr scan --url https://example.com/ruby-repo --sbom cyclonedx1.6+json --output sbom_ruby_output.json

Scan an SBOM with an SCA agent

If you include --quick, the SCA agent scans all found SBOMs, by default. A full scan ignores all SBOM files.

Prerequisites

  • SBOM file names must be in one of the following formats:

    • CycloneDX (CDX) format with file name ending in bom.json
    • Software Package Data Exchange (SPDX) format with file name ending in spdx.json

  • Supported SBOM versions:

Scan SBOM files only

By default, the SCA agent scans all files. To scan only SBOM files, use one of the following methods to configure the agent to use only the SBOM collector.

  • scan command:

    srcclr scan --quick --scan-collectors SbomQuickScanCollector

  • Environment variable:

    $env:SRCCLR_SCAN_COLLECTORS='SbomQuickScanCollector'

  • YAML file: Add scan_collectors: SbomQuickScanCollector to one of the following files:

    • agent.yml for all scans
    • srcclr.yml at your project root

Ignore SBOM files

To exclude SBOM files from scans, use the following methods to configure the SCA agent to skip the SBOM collector.

  • scan command:

    srcclr scan --quick --skip-collectors SbomQuickScanCollector

  • Environment variable:

    $env:SRCCLR_SKIP_COLLECTORS='SbomQuickScanCollector'

  • YAML file: Add skip_collectors: SbomQuickScanCollector to one of the following files:

    • agent.yml for all scans
    • srcclr.yml at your project root

Scan an SBOM with the REST API

See SBOM Scan REST API.

Scan an SBOM with SCA Upload and Scan

Prerequisites

  • SBOM file names must be in one of the following formats:

    • CycloneDX (CDX) format with file name ending in bom.json
    • Software Package Data Exchange (SPDX) format with file name ending in spdx.json

  • Supported SBOM versions:

Scan an SBOM and an application

SCA Upload and Scan results, available in the Veracode Platform, combine uploaded SBOMs with other dependency information, such as lock files.

Scan SBOM files only

To perform an SBOM-only scan, include a valid, supported artifact that Veracode Static Analysis can scan alongside your SBOM files. Zip the SBOM file and the artifact together into a single file, and then upload it for scanning. This is required due to the tight integration between SCA upload scanning and static scanning.

Important

You can't run an SBOM-only scan without including a valid artifact. See the list of supported artifacts for Veracode Static Analysis.

Last updated on