veracode sbom
Generates a software bill of materials (SBOM) of an image, archive, repository, or directory.
Syntax
./veracode sbom --type <string> --source <string> [flags]
Flags
| Flag | Description |
|---|---|
-f, --format | SBOM format. Enter one of the following values:json: Default value. A JSON using Syft JSON schema.spdx-tag-value: a tag-value formatted report conforming to the SPDX 2.2 JSON schema.spdx-json: a JSON report conforming to the SPDX 2.2 JSON Schema.cyclonedx-xml: an XML report conforming to the CycloneDX 1.4 specification.cyclonedx-json: a JSON report conforming to the CycloneDX 1.4 specification.github: a JSON report that conforms to the GitHub dependency snapshot format.table: a columnar summary.text: a row-oriented, human-and-machine-friendly output. |
-h, --help | Return help content for veracode sbom. |
-o, --output | Print output to specified file. If not provided, output is printed to STDOUT. |
-s, --source | Location of the SBOM source for the target type. |
--type | The target type. Enter one of the following values:image: identifies a container image as the target. The following base image operating systems are supported:- Alpine Linux - Amazon Linux - CentOS - Debian - GitLab BusyBox and Distroless - Oracle Linux - Red Hat Enterprise Linux - Ubuntu repo: identifies a repository as the target.archive: identifies an archive as the target.directory: identifies a directory as the target. |
Examples
To use an image as the source, run:
./veracode sbom --source alpine:latest --type image`
To use a directory as the source, run:
./veracode sbom --source path/to/directory/or/file --type directory`
To use a repository as the source, run:
./veracode sbom --source https://github.com/veracode/veracode-sca --type repo
Limitations
The Veracode CLI provides limited SBOM output for Gradle projects that have not been built.