Skip to content

How to Generate SBOM

The required step in enabling SBOM generation for your project is to configure the SBOM scanner. The SBOM scanner runs whenever a commit is made on the default branch of your projects and collects the components' inventory.

Configure the SBOM Scanner

Two versions of SBOM scanners are available to generate the SBOM inventory, whether the inventory is generated from the Source Code Repository or from the Generated Container Image Artifact.

Components inventories can be generated from container images. When generating the SBOM from container images, operating systems packages, as well as other components pulled from dependencies, can be reported.

To configure the SBOM scanner to collect the inventory from the source code and the container images:

  1. Navigate to the Provisioning page.
  2. Select the repository(ies) to configure the SBOM scanner on anc click on the Provision Repository (top right).

    Provision Repo

  3. Select the BoostSecurity Trivy (FS SBOM) scanner and click the Next button.

    Trivy Scanner

  4. Select the service to provision scanners in, i.e., Azure DevOps, GitHub Actions, GitLab CI/CD, e.t.c., on step 3 and click on Complete. This would configure the repo and it would be tagged "Being processed" for SBOM scanning.

    Complete SBOM

    Under Processing

When the process is completed, on the next commit, the BoostSecurity SBOM scanner will collect the components inventory.