Guides
Start typing to search…

Getting Started: SBOM Generation (SCA)

A quickstart guide to generating SBOMs for source code and containers.

Prerequisites

  1. Access to the Manifest platform
  2. Access to the SBOM target
    1. Source code: have the repository cloned locally.
    2. (Private) Github Repo: confirm you have credentials and read permissions to your company's Github repositories.

Generating SBOMs

Example: Github App

The Github App is the fastest way to generate SBOMs in Manifest, and it doesn't requiring any code or command lines. It relies on Github's native SBOM generation functionality.

Follow the steps in the Using the Github App guide to set it up, and you're good to go!


Example: Using the cli

To scan (local) git repositories, use Manifest's cli. The guide is here Using the CLI, but here are the quick steps:

  1. Download the cli for your architecture

brew install manifest-cyber/tap/manifest-cli

  1. Pick your generator

    1. We recommend syft , trivy, or cdxgen. Each has strengths and weaknesses.
      1. Containers: use syft or trivy
      2. Source code: use syft or cdxgen
    2. Keep in mind that each generator works differently. Reach out to your Manifest support rep for specific questions about picking the best generator for your target and use case.

  2. Install the generator

    Make sure the install location in on your OS Execution Path (see cli README for detailed instructions).
manifest-cli install -g syft\

  1. Run the generator

    // Basic
manifest-cli sbom path/to/repo

// Specify some options: -f for output filename, -o for output format
manifest-cli sbom -f bom.json -o cyclonedx-json path/to/repo

// Specify the generator, making sure it's installed. Container example
manifest-cli sbom -g trivy alpine:latest

// Add custom Name and Version metadata to the output SBOM
manifest-cli sbom --name=my-product --version=1.0.1 -o cyclonedx-json path/to/repo

// Auto-publish SBOM to Manifest platform
manifest-cli sbom --publish -k=MANIFEST_API_KEY path/to/repo

  2. Upload or view SBOM analysis

    If you used the --publishparameter or command on the cli, the SBOM will be automatically sent to the platform for analysis. Open app.manifestcyber.com and look for the most recently uploaded Asset on the Assets List page or on the Uploads page.

    If you have the SBOM file on your local machine, you can also manually drag-and-drop it into the app via the Uploads page.


Congrats!

Now you've generated and uploaded your first SBOM!

Updated 7 days ago