Skip to main content

veracode sbom

Generate a software bill of materials (SBOM) of an image, archive, repository, or directory.

Usage

./veracode sbom --type {target type} --source {source} {flags}

Target Type

  • image: identifies a container image as the target. Veracode supports the following base image operating systems:
    • Alpine Linux
    • Amazon Linux
    • CentOS
    • Debian
    • GitLab BusyBox and Distroless
    • Oracle Linux
    • Red Hat Enterprise Linux
    • Ubuntu
  • repo: identifies a repository as the target.
  • archive: identifies an archive as the target.
  • directory: identifies a directory as the target.

Flags

  • -f, --format: SBOM format. Enter one of these values:

    FormatDescription
    jsonDefault value. A JSON using Syft's JSON schema.
    spdx-tag-valueA tag-value formatted report conforming to the SPDX 2.2 JSON Schema.
    spdx-jsonA JSON report conforming to the SPDX 2.2 JSON Schema.
    cyclonedx-xmlAn XML report conforming to the CycloneDX 1.4 specification.
    cyclonedx-jsonA JSON report conforming to the CycloneDX 1.4 specification.
    githubA JSON report conforming to GitHub's dependency snapshot format.
    tableA columnar summary.
    textA row-oriented, human-and-machine-friendly output.
  • -h, --help: return help content for veracode sbom.

  • -o, --output: print output to specified file. If not provided, output is printed to STDOUT.

  • -s, --source: location of the SBOM source for the target type.

Examples

  • Image source: ./veracode sbom --source alpine:latest --type image

  • Directory source: ./veracode sbom --source path/to/directory/or/file --type directory

  • Repository source: ./veracode sbom --source https://github.com/veracode/veracode-sca --type repo

Limitation

The Veracode CLI provides limited SBOM output for Gradle projects that have not been built.