Skip to main content

Ingest SBOM from Snyk into SSCA

This workflow describes how to ingest Snyk scan results into a Harness pipeline. STO supports the following scan approaches for the following Snyk products:

  • Snyk Container SBOM via an ingestion workflow
  • Snyk Open Source SBOM via STO Snyk step

Generating and ingesting a Snyk Container SBOM

A Software Bill of Materials (SBOM) is a list of all the components, libraries, and other dependencies used in a software application. Harness SSCA can ingest JSON SPDX or CycloneDx formatted SBOM from any tool that can generate these report formats.

Generate the keys for SBOM Attestation - optional

For enhanced trust and verification of your SBOM's integrity, the SBOM Orchestration step offers optional signing and attestation generation. This functionality requires a private key, password, and corresponding public key. If you choose to skip signing, you can proceed without generating or storing these keys.

Here's how to set these keys if you choose to enable signing

  • Generate the keys: Begin by generating the keys using Cosign
  • Securely store the keys: Safeguard the generated private key, public key, and password by creating Harness file secrets for each.

Configure your pipeline to ingest SBOM

  1. In your Harness pipeline, go to the stage where you want to ingest the SBOM, and select the Overview tab.

  2. In Shared Paths, enter a path to a location where your SBOM can be stored on the build machine, such as /shared/customer_artifacts.

  3. Add a step to your stage that generates an SBOM, such as a Run, Plugin, or GitHub Action step.

    For example, you could use the following command in a Run step to generate a Snyk SBOM.

    snyk container sbom --format=spdx2.3+json \
    ubuntu:22.04 > /shared/customer_artifacts/result.spdx.json
  4. Verify that step above is configured to output the file to one of the Shared Paths (i.e /shared/customer_artifacts/result.spdx.json)

  5. Add an SBOM Orchestration step configured to ingest the SBOM:

    • Step Mode: Set the step mode to Ingestion.
    • SBOM File Path: enter the path to the SBOM file generated by your SBOM tool.
    • Source: Set the source, which can be DockerHub, ECR, GCR, ACR or Repository. Depending on your selection, a unique set of fields will appear, each specific to the source you've chosen. Address these fields as required, this is similar to configuring the source in SBOM Orchestration step. For more details of what each field entails, please refer to the documentation on SBOM Orchestration. If you are using DockerHub, you can follow along. *Image:, Enter the name of your image with tag, such as my-docker-org/repo-name:tag.
    Generate key pairs using Cosign for SBOM Attestation

    To perform the attestation process, you need to input the private key and password. You can use your preferred key generation services or use Cosign to generate them. Here's how you can generate keys using Cosign:

    1. Install Cosign
    2. Run the command cosign generate-key-pair to generate the key pairs.
    3. Make sure to note the password used for generating the key pairs. This password is needed for attestation verification purpose.
    4. This command will generate a private key as a .key file and a public key as a .pub file. To securely store these files, use Harness file secret.

Generate and ingest a Snyk Open Source SBOM

Configure the STO scan step to generate SBOM

Configure the Snyk STO scanner step, and make sure you select Generate SBOM and the SBOM Format.

Get the SBOM file path

The Snyk STO step creates a JOB_ID output variable that you can use to reference the SBOM file path in the SBOM Orchestration step.

  1. Replace STAGE_ID and STEP_ID in the following Harness expression with the stage ID and step ID for your Snyk STO step.

    <+pipeline.stages.STAGE_ID.spec.execution.steps.STEP_ID.output.outputVariables.JOB_ID>
  2. Use the expression in your SBOM file path. The exact path depends on where your scanner outputs SBOM files. For example, this filepath references a Snyk STO step with the ID mysnykstep in a stage with the ID mybuildstage:

    /addon/results/<+pipeline.stages.mybuildstage.spec.execution.steps.mysnykstep.output.outputVariables.JOB_ID>.sbom
tip

Alternately, you can get the output path and output variable expression from a previous run of the same pipeline. To do this, go to the execution details page, select the stage with the STO scanner step, and then select the STO scanner step. In the step's logs, you can find the output path, and you can get the output variable from the Output tab.

Configure the SBOM Orchestration step

Add an SBOM Orchestration step configured to ingest the SBOM.

info

SBOM Orchestration step in deploy stage can only be used in the Containerized Step Groups

  • Step Mode: Set the step mode to Ingestion.
  • SBOM File Path: enter the SBOM file path that uses the JOB_ID value, as detailed in Get the SBOM file path.
  • Source: Set the source, which can be DockerHub, ECR, GCR, ACR or Repository. Depending on your selection, a unique set of fields will appear, each specific to the source you've chosen. Address these fields as required, this is similar to configuring the source in SBOM Orchestration step. For more details of what each field entails, please refer to the documentation on SBOM Orchestration. If you are using DockerHub, you can follow along.
  • Image:, Enter the name of your image with tag, such as my-docker-org/repo-name:tag.
  • Private Key: Select the Harness file secret containing the private key to use to sign the attestation.
  • Password: Select the Harness text secret containing the password for the private key.