Skip to main content

veracode sbom

Generates a software bill of materials (SBOM) of an image, archive, repository, or directory.

Syntax

./veracode sbom --type <string> --source <string> [flags]

Flags

FlagDescription
-f, --formatSBOM format. Enter one of the following values:
json: Default value. A JSON using Syft JSON schema.
spdx-tag-value: a tag-value formatted report conforming to the SPDX 2.2 JSON schema.
spdx-json: a JSON report conforming to the SPDX 2.2 JSON Schema.
cyclonedx-xml: an XML report conforming to the CycloneDX 1.4 specification.
cyclonedx-json: a JSON report conforming to the CycloneDX 1.4 specification.
github: a JSON report that conforms to the GitHub dependency snapshot format.
table: a columnar summary.
text: a row-oriented, human-and-machine-friendly output.
-h, --helpReturn help content for veracode sbom.
-o, --outputPrint output to specified file. If not provided, output is printed to STDOUT.
-s, --sourceLocation of the SBOM source for the target type.
--typeThe target type. Enter one of the following values:
image: identifies a container image as the target. The following base image operating systems are supported:
 - Alpine Linux
 - Amazon Linux
 - CentOS
 - Debian
 - GitLab BusyBox and Distroless
 - Oracle Linux
 - Red Hat Enterprise Linux
 - Ubuntu
repo: identifies a repository as the target.
archive: identifies an archive as the target.
directory: identifies a directory as the target.

Examples

To use an image as the source, run:

./veracode sbom --source alpine:latest --type image`

To use a directory as the source, run:

./veracode sbom --source path/to/directory/or/file --type directory`

To use a repository as the source, run:

./veracode sbom --source https://github.com/veracode/veracode-sca --type repo

Limitations

The Veracode CLI provides limited SBOM output for Gradle projects that have not been built.