Skip to main content

Ingest Software Bill of Materials (SBOM) data into SSCA

A Software Bill of Materials (SBOM) is a list of all the components, libraries, and other dependencies used in a software application. While Harness SSCA enables you to generate SBOMs, it also supports the ingestion of SBOMs in JSON, SPDX or CycloneDx formats, generated by any third-party tool.

This document provides a step-by-step guide to configuring the SBOM Orchestration step within SSCA to seamlessly ingest SBOMs. To illustrate the process, we'll walk through generating an SBOM using the Trivy CLI in a CI Run step, followed by its ingestion using the SBOM Orchestration step.

info

If you are utilizing STO Steps to generate the SBOM and wish to ingest it, please refer:

Requirements

Generate the keys for SBOM Attestation - optional

For enhanced trust and verification of your SBOM's integrity, the SBOM Orchestration step offers optional signing and attestation generation. This functionality requires a private key, password, and corresponding public key. If you choose to skip signing, you can proceed without generating or storing these keys.

Here's how to set these keys if you choose to enable signing

  • Generate the keys: Begin by generating the keys using Cosign
  • Securely store the keys: Safeguard the generated private key, public key, and password by creating Harness file secrets for each.

Configure your pipeline to ingest SBOM

  1. In your Harness pipeline, Navigate to the stage where you want to ingest the SBOM, and select the Overview tab.

  2. In Shared Paths, enter a path to a location where your SBOM can be stored on the build machine, such as /shared/customer_artifacts.

  3. Add a step to your stage that generates an SBOM, such as a Run, Plugin, or GitHub Action step.

    For example, this Run step uses Aqua Trivy to generate an SBOM.

     trivy image \
    --format spdx-json \
    --output /shared/customer_artifacts/result.spdx.json \
    ubuntu:22.04
    tip

    You can also configure pipelines to ingest SBOM from STO scanner steps.

  4. If your SBOM tool can't output directly to your Shared Path, then add commands or a Run step to copy the SBOM into the directory specified in Shared Paths.

  5. Add an SBOM Orchestration step configured to ingest the SBOM:

info

SBOM Orchestration step in deploy stage can only be used in the Containerized Step Groups

  • Step Mode: Set the step mode to Ingestion.
  • SBOM File Path: enter the path to the SBOM file generated by your SBOM tool.
  • Source: Set the source, which can be DockerHub, ECR, GCR, ACR or Repository. Depending on your selection, a unique set of fields will appear, each specific to the source you've chosen. Address these fields as required, this is similar to configuring the source in SBOM Orchestration step. For more details of what each field entails, please refer to the documentation on SBOM Orchestration. If you are using DockerHub, you can follow along.
  • Image:, Enter the name of your image with tag, such as my-docker-org/repo-name:tag.
Generate key pairs using Cosign for SBOM Attestation

To perform the attestation process, you need to input the private key and password. You can use your preferred key generation services or use Cosign to generate them. Here's how you can generate keys using Cosign:

  1. Install Cosign
  2. Run the command cosign generate-key-pair to generate the key pairs.
  3. Make sure to note the password used for generating the key pairs. This password is needed for attestation verification purpose.
  4. This command will generate a private key as a .key file and a public key as a .pub file. To securely store these files, use Harness file secret.

Run the pipeline

​ When the pipeline runs, the SBOM Orchestration step performs the following actions:

  • Ingests the SBOM to SSCA module.
  • Specifically for Containers:
    • Generates and signs an attestation using the provided private key and password.
    • Stores the SBOM in Harness and uploads the .att file to your container registry.

SBOMs for both Containers and Code Repositories are accessible in the Artifacts view. Additionally, you can locate the SBOM for any artifact on the Supply Chain tab within the Execution Details page in Harness. For detailed insights, please refer to the view pipeline execution results documentation.