Ingest Software Bill of Materials (SBOM) data into SCS
A Software Bill of Materials (SBOM) is a list of all the components, libraries, and other dependencies used in a software application. While Harness SCS enables you to generate SBOMs, it also supports the ingestion of SBOMs in JSON, SPDX or CycloneDx formats, generated by any third-party tool.
This document provides a step-by-step guide to configuring the SBOM Orchestration step within SCS to seamlessly ingest SBOMs. To illustrate the process, we'll walk through generating an SBOM using the Trivy CLI in a CI Run step, followed by its ingestion using the SBOM Orchestration step.
If you are utilizing STO Steps to generate the SBOM and wish to ingest it, please refer:
Requirements
Generate the keys for SBOM Attestation - optional
For enhanced trust and verification of your SBOM's integrity, the SBOM Orchestration step offers optional signing and attestation generation. This functionality requires a private key, password, and corresponding public key. If you choose to skip signing, you can proceed without generating or storing these keys.
Here's how to set these keys if you choose to enable signing
- Generate the keys: Begin by generating the keys using Cosign
- Securely store the keys: Safeguard the generated private key, public key, and password by creating Harness file secrets for each.
Configure your pipeline to ingest SBOM
-
In your Harness pipeline, Navigate to the stage where you want to ingest the SBOM, and select the Overview tab.
-
In Shared Paths, enter a path to a location where your SBOM can be stored on the build machine, such as
/shared/customer_artifacts
. -
Add a step to your stage that generates an SBOM, such as a Run, Plugin, or GitHub Action step.
For example, this Run step uses Aqua Trivy to generate an SBOM.
trivy image \
--format spdx-json \
--output /shared/customer_artifacts/result.spdx.json \
ubuntu:22.04tipYou can also configure pipelines to ingest SBOM from STO scanner steps.
-
If your SBOM tool can't output directly to your Shared Path, then add commands or a Run step to copy the SBOM into the directory specified in Shared Paths.
-
Add an SBOM Orchestration step configured to ingest the SBOM:
SBOM Orchestration step in deploy stage can only be used in the Containerized Step Groups
- Step Mode: Set the step mode to Ingestion.
- SBOM File Path: enter the path to the SBOM file generated by your SBOM tool.
- Source: Set the source, which can be DockerHub, ECR, GCR, ACR or Repository. Depending on your selection, a unique set of fields will appear, each specific to the source you've chosen. Address these fields as required, this is similar to configuring the source in SBOM Orchestration step. For more details of what each field entails, please refer to the documentation on SBOM Orchestration. If you are using DockerHub, you can follow along.
- Image:, Enter the name of your image with tag, such as
my-docker-org/repo-name:tag
.
Generate key pairs using Cosign for SBOM Attestation
To perform the attestation process, you need to input the private key and password. You can use your preferred key generation services or use Cosign to generate them. Here's how you can generate keys using Cosign:
- Install Cosign
- Run the command
cosign generate-key-pair
to generate the key pairs. - Make sure to note the password used for generating the key pairs. This password is needed for attestation verification purpose.
- This command will generate a private key as a
.key
file and a public key as a.pub
file. To securely store these files, use Harness file secret.
-
Private Key (optional): Input your Private key from the Harness file secret.
-
Password (optional): Input your Password for the Private key from the Harness file secret.
Run the pipeline
When the pipeline runs, the SBOM Orchestration step performs the following actions:
- Ingests the SBOM to SCS module.
- Specifically for Containers:
- Generates and signs an attestation using the provided private key and password.
- Stores the SBOM in Harness and uploads the
.att
file to your container registry.
SBOMs for both Containers and Code Repositories are accessible in the Artifacts view. Additionally, you can locate the SBOM for any artifact on the Supply Chain tab within the Execution Details page in Harness. For detailed insights, please refer to the view pipeline execution results documentation.