veracode sbom

Generates a software bill of materials (SBOM) of an image, archive, repository, or directory.

Syntax

./veracode sbom --type <string> --source <string> [flags]

Flag	Description
`-f`, `--format`	SBOM format. Enter one of the following values: `json`: Default value. A JSON using Syft JSON schema. `spdx-tag-value`: a tag-value formatted report conforming to the SPDX 2.2 JSON schema. `spdx-json`: a JSON report conforming to the SPDX 2.2 JSON Schema. `cyclonedx-xml`: an XML report conforming to the CycloneDX 1.4 specification. `cyclonedx-json`: a JSON report conforming to the CycloneDX 1.4 specification. `github`: a JSON report that conforms to the GitHub dependency snapshot format. `table`: a columnar summary. `text`: a row-oriented, human-and-machine-friendly output.
`-h`, `--help`	Return help content for `veracode sbom`.
`-o`, `--output`	Print output to specified file. If not provided, output is printed to STDOUT.
`-s`, `--source`	Location of the SBOM source for the target `type`.
`--type`	The target type. Enter one of the following values: `image`: identifies a container image as the target. The following base image operating systems are supported: - Alpine Linux - Amazon Linux - CentOS - Debian - GitLab BusyBox and Distroless - Oracle Linux - Red Hat Enterprise Linux - Ubuntu `repo`: identifies a repository as the target. `archive`: identifies an archive as the target. `directory`: identifies a directory as the target.

To use an image as the source, run:

./veracode sbom --source alpine:latest --type image`

To use a directory as the source, run:

./veracode sbom --source path/to/directory/or/file --type directory`

To use a repository as the source, run:

./veracode sbom --source https://github.com/veracode/veracode-sca --type repo

The Veracode CLI provides limited SBOM output for Gradle projects that have not been built.