Getting Started: SBOM Generation
A quickstart guide to generating SBOMs for source code and containers. Manifest provides two ways to generate an SBOM: through our Command Line Interface (CLI) tool or Github. We reccomend using the CLI for increased accuracy and insight into your code.
Prerequisites
- Access to the Manifest Platform
- Manifest Platform API Key
- Access to the SBOM target
- Source code: Have the repository cloned locally.
- Container Have permissions to access the registry on your terminal
Generating SBOMs
Example: Using the CLI (recommended)
To scan (local) repositories, use Manifest's CLI. The complete CLI user guide is here Using the CLI, but here are the quick steps:
-
Install the CLI
Instructions are found on the Github page for installation of the Manifest CLI
-
Mac: Apple users can use the recommended installation with the shell "sh" command or with Homebrew
curl -sSfL https://raw.githubusercontent.com/manifest-cyber/cli/main/install.sh | sh -sbrew install manifest-cyber/tap/manifest-cli -
Linux: Linux users can also use the recommended installation with the shell "sh" command
curl -sSfL https://raw.githubusercontent.com/manifest-cyber/cli/main/install.sh | sh -s -
Windows: Installation is available for Windows through the "Manual Installation" options under the windows named zip files. When extracted, you will be able to use the exe installer.
- You can find the Windows file to download on the releases page
-
-
Pick your generator
- We recommend syft , trivy, or cdxgen. Each has strengths and weaknesses.
- Containers: use syft or trivy
- Source code: use syft or cdxgen
- C++ Managed by Conan: use cdxgen
- Keep in mind that each generator works differently. Reach out to your Manifest support rep for specific questions about picking the best generator for your target and use case.
- We recommend syft , trivy, or cdxgen. Each has strengths and weaknesses.
-
Install the generator
manifest-cli install -g syft -
Run the generator
// Basic manifest-cli sbom <path/to/repo> // Specify some options: -f for output filename, -n for SBOM name in Manifest Platform manifest-cli sbom -f bom.json -n "SBOM Name from docs" <path/to/repo> // Specify the generator, making sure it's installed. Container example manifest-cli sbom -g trivy alpine:latest // Add custom Name and Version metadata to the output SBOM manifest-cli sbom -n=my-product --version=1.0.1 -o cyclonedx-json <path/to/repo> // Auto-publish SBOM to Manifest platform manifest-cli sbom --publish -k=<MANIFEST_API_KEY> <path/to/repo>- If you get an error where the manifest-cli command is not running, you might need to follow these instructions for Mac/Linux or these instructions for Windows to fix the location of where the tool is called from
-
Upload or view SBOM analysis
If you used the
--publishparameter or command on the cli, the SBOM will be automatically sent to the platform for analysis. Open app.manifestcyber.com and look for the most recently uploaded Asset on the Assets List page or on the Uploads page.You can also manually drag-and-drop it into the Manifest Platform via the Uploads page.
Example: Github App
The Github App is the fastest way to generate SBOMs in Manifest, and it doesn't requiring any code or command lines. It relies on Github's native SBOM generation functionality.
Follow the steps in the Using the Github App guide to set it up, and you're good to go!
Congrats!
Now you've generated and uploaded your first SBOM!
Updated 3 days ago