veracode sbom
Generate a software bill of materials (SBOM) of an image, archive, repository, or directory.
Usage
./veracode sbom --type {target type} --source {source} {flags}
Target Type
image
: identifies a container image as the target. Veracode supports the following base image operating systems:- Alpine Linux
- Amazon Linux
- CentOS
- Debian
- GitLab BusyBox and Distroless
- Oracle Linux
- Red Hat Enterprise Linux
- Ubuntu
repo
: identifies a repository as the target.archive
: identifies an archive as the target.directory
: identifies a directory as the target.
Flags
-f
,--format
: SBOM format. Enter one of these values:Format Description json
Default value. A JSON using Syft's JSON schema. spdx-tag-value
A tag-value formatted report conforming to the SPDX 2.2 JSON Schema. spdx-json
A JSON report conforming to the SPDX 2.2 JSON Schema. cyclonedx-xml
An XML report conforming to the CycloneDX 1.4 specification. cyclonedx-json
A JSON report conforming to the CycloneDX 1.4 specification. github
A JSON report conforming to GitHub's dependency snapshot format. table
A columnar summary. text
A row-oriented, human-and-machine-friendly output. -h
,--help
: return help content forveracode sbom
.-o
,--output
: print output to specified file. If not provided, output is printed to STDOUT.-s
,--source
: location of the SBOM source for the target type.
Examples
Image source:
./veracode sbom --source alpine:latest --type image
Directory source:
./veracode sbom --source path/to/directory/or/file --type directory
Repository source:
./veracode sbom --source https://github.com/veracode/veracode-sca --type repo
Limitation
The Veracode CLI provides limited SBOM output for Gradle projects that have not been built.