Skip to main content

Ingest Software Bill of Materials (SBOM) data into SSCA

A Software Bill of Materials (SBOM) is a list of all the components, libraries, and other dependencies used in a software application. Harness SSCA can ingest JSON SPDX or CycloneDx formatted SBOM from any tool that can generate these report formats.


Use this configuration for scanners that don't have built-in support in SSCA. For scanners with built-in support, use the SSCA Orchestration step to generate SBOM or configure your pipeline to ingest results from an STO scanner step. For a list of all SSCA-supported scanners, go to What's supported for STO.

Generate a key pair

Keys are used to sign and verify attestations.

  1. Generate a public and private key pair. For example, you can use Cosign to generate key pairs.
  2. Create two Harness file secrets, one for the private key file and one for the public key file.
  3. Create a Harness text secret to store the password for the private key.

Configure your pipeline to ingest SBOM

  1. In your Harness pipeline, go to the stage where you want to ingest the SBOM, and select the Overview tab.

  2. In Shared Paths, enter a path to a location where your SBOM can be stored on the build machine, such as /shared/customer_artifacts.

  3. Add a step to your stage that generates an SBOM, such as a Run, Plugin, or GitHub Action step.

    For example, this Run step uses Aqua Trivy to generate an SBOM.

     trivy image \
    --format spdx-json \
    --output /shared/customer_artifacts/result.spdx.json \

    You can also configure pipelines to ingest SBOM from STO scanner steps.

  4. If your SBOM tool can't output directly to your Shared Path, then add commands or a Run step to copy the SBOM into the directory specified in Shared Paths.

  5. Add an SSCA Orchestration step configured to ingest the SBOM:

    • Set the Step Mode to Ingestion.
    • For SBOM File Path, enter the path to the SBOM file generated by your SBOM tool.
    • For Container Registry, select the Docker Registry connector that is configured for the Docker-compliant container registry where you stored the artifact associated with the SBOM, such as Docker Hub, Amazon ECR, or GCR.
    • For Image, enter the repo path (in your container registry) and tag for the image associated with the SBOM, such as my-docker-repo/my-artifact:latest.
    • Private Key: The Harness file secret containing the private key to use to sign the attestation.
    • Password: The Harness text secret containing the password for the private key.

ECR and GCR repos

If you're using Docker-compliant ECR or GCR repositories, you must:

  1. Configure your Docker Registry connector as a valid artifact source.
  2. Use the full URI for the Image in your SSCA Orchestration step, such as