Skip to content

Software Bill Of Materials (SBOM)

BoostSecurity enables collecting the nested inventory of all open-source and third-party components in your project codebase.

Collecting the projects' SBOMs is as simple as configuring the BoostSecurity SBOM scanning module to the projects' workflows, and the inventories are generated at every commit on the projects' default branches.

In addition to reporting the inventories of components, BoostSecurity also reports on the known security vulnerabilities for these components.

Getting Started

The first step in enabling SBOM generation for your project is to configure the SBOM scanner. The SBOM scanner runs whenever a commit is made on the default branch and collects the components' inventory.

Note

Even if the workflow is configured to run the SBOM scanner on pull requests, the scanner does not collect the inventory of components on pull requests.

Two versions of SBOM scanners are available to generate the SBOM inventory, whether generated from the source code repository or from the generated container image artifact.

Note

There can only be one scanner that outputs SBOM per project.

SBOM Scanner Module from Source Code

To add the SBOM scanner to the workflow to collect the inventory from the source code, add a workflow YAML file with the following configuration:

GitHub Actions

```yml
name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master

jobs:
  boost-sbom:
    name: SBOM
    if: github.event_name != 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Upload SBOM
      - 
        uses: boostsecurityio/boostsec-scanner-github@v4
        with:
          registry_module: boostsecurityio/trivy-sbom
          api_token: ${{ secrets.BOOST_API_TOKEN }}
```

The BoostSecurity SBOM scanner will collect the inventory of the components on the next commit.

SBOM Scanner module for Container Images

Components inventories can also be generated from container images. When generating the SBOM from container images, operating systems packages and other components pulled from dependencies can be reported.

To add the SBOM scanner to the workflow to collect the inventory from the container images, add the BoostSecurity scanner module after the image generation step. For example:

GitHub Actions

```yml
on:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  boost-image-sbom:
    name: Boost Container
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      ### In this step here you would build
      ### your container image
      ### the step here is just an example
      - name: Build Image example
        run: docker build . -t <your image name>
      - name: Run Boot Trivy SBOM for Image
        uses: boostsecurityio/boostsec-scanner-github@v4
        env:
          BOOST_IMAGE_NAME: <your image name>
        with:
          registry_module: boostsecurityio/trivy-sbom-image
          api_token: ${{ secrets.BOOST_API_TOKEN }}
```

SBOM for Multiple Container Images Per Repository

As described above, the image inventory is associated with the project when configuring the workflow to scan container images. However, a mono repository might produce multiple container images.

In that case, the scanner module can associate a label to the SBOM inventory produced for each container image.

When doing so, the SBOM service tracks and reports the inventory for each image. An example of workflow configuration is as follows:

GitHub Actions

```yml
on:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  boost-image-sbom:
    name: Boost Container
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      ### In this step here, you would build
      ### your container image
      ### the step here is just an example
      - name: Build first Image example
        run: .... image building for first image .....
      - name: Run Boot Trivy SBOM for Image - asset 1
        uses: boostsecurityio/boostsec-scanner-github@v4
        env:
          BOOST_IMAGE_NAME: <your first image name>
        with:
          api_token: ${{ secrets.BOOST_API_TOKEN }}
          registry_module: boostsecurityio/trivy-sbom-image
          scan_label: <first image label>
      - name: Build second Image example
        run: .... image building for second image .....
      - name: Run Boot Trivy SBOM for Image - asset 2
        uses: boostsecurityio/boostsec-scanner-github@v4
        env:
          BOOST_IMAGE_NAME: <your second image name>
        with:
          api_token: ${{ secrets.BOOST_API_TOKEN }}
          registry_module: boostsecurityio/trivy-sbom-image
          scan_label: <second image label>
```

The additional argument scan_label sets the label for the SBOM inventory on the specific asset. In the SBOM service projects list view, the project name for that asset's inventory is <organization>/<repository>/<label>. Labels can be used for mono repositories generating multiple container images to generate SBOM inventories for each container image in the repository.