veracode sbom
Generates a software bill of materials (SBOM) of an image, archive, repository, or directory.
Syntax
./veracode sbom --type <string> --source <string> [flags]
Flags
Flag | Description |
---|---|
-f , --format | SBOM format. Enter one of the following values:json : Default value. A JSON using Syft JSON schema.spdx-tag-value : a tag-value formatted report conforming to the SPDX 2.2 JSON schema.spdx-json : a JSON report conforming to the SPDX 2.2 JSON Schema.cyclonedx-xml : an XML report conforming to the CycloneDX 1.4 specification.cyclonedx-json : a JSON report conforming to the CycloneDX 1.4 specification.github : a JSON report that conforms to the GitHub dependency snapshot format.table : a columnar summary.text : a row-oriented, human-and-machine-friendly output. |
-h , --help | Return help content for veracode sbom . |
-o , --output | Print output to specified file. If not provided, output is printed to STDOUT. |
-s , --source | Location of the SBOM source for the target type . |
--type | The target type. Enter one of the following values:image : identifies a container image as the target. The following base image operating systems are supported:- Alpine Linux - Amazon Linux - CentOS - Debian - GitLab BusyBox and Distroless - Oracle Linux - Red Hat Enterprise Linux - Ubuntu repo : identifies a repository as the target.archive : identifies an archive as the target.directory : identifies a directory as the target. |
Examples
To use an image as the source, run:
./veracode sbom --source alpine:latest --type image`
To use a directory as the source, run:
./veracode sbom --source path/to/directory/or/file --type directory`
To use a repository as the source, run:
./veracode sbom --source https://github.com/veracode/veracode-sca --type repo
Limitations
The Veracode CLI provides limited SBOM output for Gradle projects that have not been built.