Using the CLI

The Manifest command-line interface makes it easy to generate, merge, and publish your SBOMs. The CLI is compatible with Linux, Windows, and Mac (both AMD and ARM architectures) and can be leveraged in your CI/CD pipeline tools, such as Github, CircleCI, Azure DevOps, etc. Reach out to your Manifest support member if you needed assistance with setting up this integration.

📘

Full documentation for the Manifest CLI is live on Github.

Installation

Instructions are found on the Github page for installation of the Manifest CLI

• Mac: Apple users can use the recommended installation with the shell "sh" command
• Linux: Linux users can also use the recommended installation with the shell "sh" command
• Windows: Installation is available for Windows through the "Manual Installation" options under the windows named zip files. When extracted, you will be able to use the exe installer.

Generators

The Manifest CLI is an orchestrator to make SBOM generation easy to start and automate. The CLI natively supports various open source SBOM generators, handling generator installation to generation.

Supported Broad Open Source Generators:

• Syft - Best for Source Code and Container Images
• Trivy - Best for Source Code and Binaries
• cdxgen (CycloneDX Generator) - Best for Source Code

Other Supported Tools:

• SigstoreBOM - For Signing and Verification of Signing
• Docker SBOM - For scanning Docker Containers only

Supported Artifacts

For a full explanation of supported languages and artifacts, please see the full documentation for that.

Here are some highlights for which generators to use for what artifacts:

Supported Actions:

• Generate SBOMs for 20+ programming languages, ecosystems, and artifacts
• AI Model Identification
• Upload SBOMs to Manifest
• Install SBOM Generators
• Digitally Sign SBOMs
• Verify Signed SBOMS
• Merge SBOMs