Skip to content

zarf tools sbom

zarf tools sbom

Generates a Software Bill of Materials (SBOM) for the given package

Synopsis

Generate a packaged-based Software Bill Of Materials (SBOM) from container images and filesystems

zarf tools sbom [flags]

Options

      --base-path string                          base directory for scanning, no links will be followed above this directory, and all paths will be reported relative to this directory
  -c, --config string                             syft configuration file
      --enrich stringArray                        enable package data enrichment from local and online sources (options: all, golang, java, javascript)
      --exclude stringArray                       exclude paths from being scanned using a glob expression
      --file string                               file to write the default report output to (default is STDOUT) (DEPRECATED: use: output)
      --from stringArray                          specify the source behavior to use (e.g. docker, registry, oci-dir, ...)
  -h, --help                                      help for sbom
  -o, --output stringArray                        report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-table])
      --override-default-catalogers stringArray   set the base set of catalogers to use (defaults to 'image' or 'directory' depending on the scan source)
      --platform string                           an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
  -q, --quiet                                     suppress all logging output
  -s, --scope string                              selection of layers to catalog, options=[squashed all-layers]
      --select-catalogers stringArray             add, remove, and filter the catalogers to be used
      --source-name string                        set the name of the target being analyzed
      --source-version string                     set the version of the target being analyzed
  -t, --template string                           specify the path to a Go template file
  -v, --verbose count                             increase verbosity (-v = info, -vv = debug)

Options inherited from parent commands

      --insecure-skip-tls-verify   Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture.
      --plain-http                 Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture.

SEE ALSO

zarf tools - Collection of additional tools to make airgap easier
zarf tools sbom attest - Generate an SBOM as an attestation for the given [SOURCE] container image
zarf tools sbom cataloger - Show available catalogers and configuration
zarf tools sbom config - show the syft configuration
zarf tools sbom convert - Convert between SBOM formats
zarf tools sbom login - Log in to a registry
zarf tools sbom scan - Generate an SBOM
zarf tools sbom version - show version information