Skip to content

sbomify/library

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

67 Commits
.github/workflows
.github/workflows
 
 
apps
apps
 
 
scripts
scripts
 
 
.yamllint.yml
.yamllint.yml
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

sbomify SBOM Library

A collection of Software Bill of Materials (SBOMs) for popular open-source projects, automatically extracted and uploaded to sbomify for public browsing.

Overview

This repository manages SBOM extraction from multiple sources:

  • Docker OCI Attestations - Extract SBOMs embedded in Docker images via BuildKit attestations
  • Chainguard Images - Download signed SBOM attestations from Chainguard images via cosign
  • GitHub Releases - Download SBOMs published as release assets
  • Lockfile Sources - Download lockfiles for SBOM generation by sbomify

Each app has its own folder with version tracking. When you bump the version in config.yaml, only that app's SBOM is rebuilt and uploaded - not the entire repository.

Note: Each version only needs to be processed once. Once an SBOM is uploaded to sbomify, it is permanently stored there. There is no need to re-process the same version.

Projects

Each SBOM is discoverable via the Transparency Exchange API (TEA) using the TEI identifiers listed below.

Operating Systems

Project Source TEI Job
Alpine Linux Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/alpine SBOM
Amazon Linux Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/amazonlinux SBOM
Debian Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/debian SBOM
Fedora Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/fedora SBOM
Oracle Linux Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/oraclelinux SBOM
Rocky Linux Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/rockylinux SBOM
Ubuntu Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/ubuntu SBOM

Languages & Runtimes

Project Source TEI Job
Eclipse Temurin Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/eclipse-temurin SBOM
Elixir Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/elixir SBOM
Erlang Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/erlang SBOM
Go Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/golang SBOM
Haskell (GHC) Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/haskell SBOM
Julia Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/julia SBOM
Node.js Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/node SBOM
Perl Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/perl SBOM
PHP Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/php SBOM
Python Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/python SBOM
R Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/r-base SBOM
Ruby Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/ruby SBOM
Rust Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/rust SBOM
Swift Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/swift SBOM

Databases

Project Source TEI Job
Apache Cassandra Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/cassandra SBOM
InfluxDB Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/influxdb SBOM
MariaDB Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/mariadb SBOM
Memcached Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/memcached SBOM
MongoDB Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/mongo SBOM
Mongo Express Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/mongo-express SBOM
MySQL Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/mysql SBOM
Neo4j Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/neo4j SBOM
PostgreSQL Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/postgres SBOM
Redis Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/redis SBOM
Apache Solr Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/solr SBOM

Web & Application Servers

Project Source TEI Job
Apache HTTP Server Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/httpd SBOM
Apache Tomcat Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/tomcat SBOM
Caddy GitHub Release urn:tei:purl:library.sbomify.com:pkg:github/caddyserver/caddy SBOM
HAProxy Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/haproxy SBOM
Kong Gateway Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/kong SBOM
Nginx Chainguard urn:tei:purl:library.sbomify.com:pkg:oci/cgr.dev/chainguard/nginx SBOM
Traefik Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/traefik SBOM

Applications & Platforms

Project Source TEI Job
Drupal Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/drupal SBOM
Ghost Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/ghost SBOM
Keycloak Lockfile urn:tei:purl:library.sbomify.com:pkg:github/keycloak/keycloak SBOM
Keycloak JS Lockfile urn:tei:purl:library.sbomify.com:pkg:github/keycloak/keycloak SBOM
SonarQube Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/sonarqube SBOM
WordPress Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/wordpress SBOM

Build Tools

Project Source TEI Job
Gradle Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/gradle SBOM
Apache Maven Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/maven SBOM

Infrastructure & Messaging

Project Source TEI Job
Bash Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/bash SBOM
Docker Registry Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/registry SBOM
Eclipse Mosquitto Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/eclipse-mosquitto SBOM
RabbitMQ Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/rabbitmq SBOM
Telegraf Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/telegraf SBOM
Apache ZooKeeper Docker urn:tei:purl:library.sbomify.com:pkg:docker/library/zookeeper SBOM

Security & SBOM Tools

Project Source TEI Job
Dependency Track GitHub Release urn:tei:purl:library.sbomify.com:pkg:github/DependencyTrack/dependency-track SBOM
Dependency Track Frontend GitHub Release urn:tei:purl:library.sbomify.com:pkg:github/DependencyTrack/frontend SBOM
OSV Scanner Lockfile urn:tei:purl:library.sbomify.com:pkg:github/google/osv-scanner SBOM
Syft Lockfile urn:tei:purl:library.sbomify.com:pkg:github/anchore/syft SBOM
Trivy GitHub Release urn:tei:purl:library.sbomify.com:pkg:github/aquasecurity/trivy SBOM

Directory Structure

.
├── .github/
│   └── workflows/
│       ├── sbom-builder.yml          # Reusable workflow (main logic)
│       ├── _sbom-template.yml        # Template for new app workflows
│       └── sbom-<app-name>.yml       # Per-app workflow
├── apps/
│   └── <app-name>/                   # Example app
│       └── config.yaml               # App configuration (includes version)
├── scripts/
│   ├── fetch-sbom.sh                 # Main entry point
│   ├── check-updates.sh              # Check for upstream version updates
│   ├── lib/
│   │   └── common.sh                 # Shared utilities
│   └── sources/
│       ├── docker-attestation.sh     # Docker extraction
│       ├── github-release.sh         # GitHub release download
│       └── lockfile-generator.sh     # Lockfile download
└── README.md

Quick Start

Adding a New App

  1. Create the app folder:

    mkdir -p apps/myapp

  2. Create apps/myapp/config.yaml:

    name: myapp
version: "1.0.0"  # Must be valid semver
format: cyclonedx  # or spdx

source:
  type: docker  # or github_release, lockfile, chainguard
  image: "library/myapp"
  registry: "docker.io"

sbomify:
  component_id: "your-component-id"
  component_name: "My App"

    Valid version formats: 1.2.3, 1.2.3-rc1, 1.2.3-alpha.1+build. Note: latest is not allowed.

  3. Create the workflow file:

    cp .github/workflows/_sbom-template.yml .github/workflows/sbom-myapp.yml
# Edit the file and replace 'example-app' with 'myapp'

  4. Commit and push:

    git add apps/myapp .github/workflows/sbom-myapp.yml
git commit -m "Add myapp SBOM"
git push

Bumping a Version

Simply update the version field in config.yaml:

# apps/nginx/config.yaml
name: nginx
version: "1.26.0"  # Update this line
...
git add apps/nginx/config.yaml
git commit -m "Bump nginx to 1.26.0"
git push

The GitHub Action will automatically rebuild and upload only the nginx SBOM.

Configuration Reference

App Configuration (config.yaml)

# Required: App name (should match folder name)
name: nginx

# Required: Version (must be valid semver)
version: "1.25.4"

# Required: SBOM format
format: cyclonedx  # cyclonedx | spdx

# Required: Source configuration
source:
  type: docker  # docker | github_release | lockfile | chainguard

  # ... source-specific options (see below)

# Required for upload: sbomify configuration
sbomify:
  component_id: "abc123-def456"
  component_name: "Nginx"

Source Types

Docker OCI Attestations

Extract SBOMs from Docker image attestations (requires images built with BuildKit SBOM support):

source:
  type: docker
  image: "library/nginx"          # Image name (required)
  registry: "docker.io"           # Registry (default: docker.io)
  platform: "linux/amd64"         # Platform (default: linux/amd64)

Chainguard Images

Download signed SBOM attestations from Chainguard images using cosign:

source:
  type: chainguard
  image: "nginx"                  # Chainguard image name (required)
  registry: "cgr.dev/chainguard"  # Registry (default: cgr.dev/chainguard)
  platform: "linux/amd64"         # Platform (default: linux/amd64)

Note: Chainguard images use SPDX format by default. Set format: spdx in your config.

GitHub Release

Download SBOMs from GitHub release assets:

source:
  type: github_release
  repo: "owner/repo"              # GitHub repository (required)
  asset: "bom.json"               # Asset filename (required, supports ${version})
  tag_prefix: "v"                 # Tag prefix (default: "")
  tag_suffix: ""                  # Tag suffix (default: "")

The asset field supports ${version} substitution for projects that include the version in the asset filename:

source:
  type: github_release
  repo: "caddyserver/caddy"
  asset: "caddy_${version}_linux_amd64.sbom"  # Becomes caddy_2.10.1_linux_amd64.sbom
  tag_prefix: "v"

Lockfile Sources

Download lockfiles for SBOM generation by the sbomify GitHub Action:

source:
  type: lockfile
  repo: "owner/repo"              # GitHub repository (required)
  lockfile: "package-lock.json"   # Path to lockfile (required)
  tag_prefix: "v"                 # Tag prefix
  clone: false                    # Shallow clone repo instead of downloading lockfile

For projects with complex dependency structures (e.g., Maven multi-module projects), set clone: true to perform a shallow clone of the entire repository:

source:
  type: lockfile
  repo: "keycloak/keycloak"
  lockfile: "pom.xml"
  clone: true                     # Clone repo for full dependency resolution

Note: SBOM generation from lockfiles is handled automatically by the sbomify GitHub Action.

Local Development

Prerequisites

  • bash 4.0+
  • jq - JSON processor
  • yq - YAML processor

For Docker sources:

  • docker with buildx, or
  • crane (from go-containerregistry), or
  • oras

For Chainguard sources:

  • cosign (from sigstore)

For lockfile sources:

  • No additional tools required (SBOM generation handled by sbomify GitHub Action)

Running Locally

# Fetch SBOM for an app
./scripts/fetch-sbom.sh nginx

# Fetch with verbose output
./scripts/fetch-sbom.sh nginx --verbose

# Dry-run mode (no actual fetching)
./scripts/fetch-sbom.sh nginx --dry-run

Checking for Updates

# Check all apps for upstream version updates
./scripts/check-updates.sh

# Only check specific source type
./scripts/check-updates.sh --type docker

# Check specific apps
./scripts/check-updates.sh --app redis,trivy

# Auto-update config.yaml files
./scripts/check-updates.sh --update

# Preview updates without writing
./scripts/check-updates.sh --update --dry-run

# JSON output (for CI)
./scripts/check-updates.sh --json

Environment Variables

Variable Description Default
LOG_LEVEL Logging level: DEBUG, INFO, WARN, ERROR INFO
DRY_RUN Run in dry-run mode false
SBOMIFY_TOKEN sbomify API token for upload -
GH_TOKEN GitHub token for API access -

GitHub Actions

Secrets

Configure these secrets in your repository:

Secret Description Required
SBOMIFY_TOKEN sbomify API token for uploading SBOMs For upload

Manual Trigger

Each app workflow can be manually triggered from the Actions tab with optional dry-run mode.

Workflow Structure

  • Per-app workflows (sbom-<app-name>.yml) - Thin wrappers that trigger on config.yaml changes
  • Reusable workflow (sbom-builder.yml) - Contains all the build logic
  • Template (_sbom-template.yml) - Copy this to create new app workflows

This design ensures:

  1. Only the changed app is rebuilt (via path filters on config.yaml)
  2. Build logic is centralized and maintainable
  3. New apps just need a simple workflow file

Contributing

  1. Fork the repository
  2. Add your app following the Quick Start guide
  3. Test locally with ./scripts/fetch-sbom.sh <app-name>
  4. Submit a pull request

License

See LICENSE for details.

About

sbomify's SBOM Library

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages