This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Generate SBOM

To generate the Software Bill of Materials (SBOM), complete the following steps.

  1. Run the following command.

    kubeclarity-cli analyze <image/directory name> --input-type <dir|file|image(default)> -o <output file or stdout>
    

    For example:

    kubeclarity-cli analyze --input-type image nginx:latest -o nginx.sbom
    

    Example output:

    INFO[0000] Called syft analyzer on source registry:nginx:latest  analyzer=syft app=kubeclarity
    INFO[0004] Skipping analyze unsupported source type: image  analyzer=gomod app=kubeclarity
    INFO[0004] Sending successful results                    analyzer=syft app=kubeclarity
    INFO[0004] Got result for job "syft"                     app=kubeclarity
    INFO[0004] Got result for job "gomod"                    app=kubeclarity
    INFO[0004] Skip generating hash in the case of image    
    
  2. Verify that the ngnix.sbom file is generated and explore its contents as in below:

    head ngnix.sbom
    

    Example output:

    {
      "bomFormat": "CycloneDX",
      "specVersion": "1.4",
      "serialNumber": "urn:uuid:8cca2aa3-1aaa-4e8c-9d44-08e88b1df50d",
      "version": 1,
      "metadata": {
        "timestamp": "2023-05-19T16:27:27-07:00",
        "tools": [
          {
            "vendor": "kubeclarity",
    
  3. To run also the trivy scanner and merge the output into a single SBOM, run:

    ANALYZER_LIST="syft gomod trivy" kubeclarity-cli analyze --input-type image nginx:latest -o nginx.sbom
    

    Example output:

    INFO[0000] Called syft analyzer on source registry:nginx:latest  analyzer=syft app=kubeclarity
    INFO[0004] Called trivy analyzer on source image nginx:latest  analyzer=trivy app=kubeclarity
    INFO[0004] Skipping analyze unsupported source type: image  analyzer=gomod app=kubeclarity
    INFO[0005] Sending successful results                    analyzer=syft app=kubeclarity
    INFO[0005] Sending successful results                    analyzer=trivy app=kubeclarity
    INFO[0005] Got result for job "trivy"                    app=kubeclarity
    INFO[0005] Got result for job "syft"                     app=kubeclarity
    INFO[0005] Got result for job "gomod"                    app=kubeclarity
    INFO[0005] Skip generating hash in the case of image   
    

Export scan results to backend

  1. To export CLI-generated results to the backend, from the left menu bar select Applications, then copy the ID from the KubeClarity UI. If your application is not listed yet, select + New Application, and create a new pod.

    Resource ID on the UI

  2. To export the generated SBOMs to a running KubeClarity backend pod, use the -e flag and the ID as the <application ID> value in the following command.

    BACKEND_HOST=<KubeClarity backend address> BACKEND_DISABLE_TLS=true kubeclarity-cli analyze <image> --application-id <application ID> -e -o <SBOM output file>
    

    For example:

    BACKEND_HOST=localhost:9999 BACKEND_DISABLE_TLS=true kubeclarity-cli analyze nginx:latest --application-id 23452f9c-6e31-5845-bf53-6566b81a2906 -e -o nginx.sbom
    

    Example output:

    INFO[0000] Called syft analyzer on source registry:nginx:latest  analyzer=syft app=kubeclarity
    INFO[0004] Called trivy analyzer on source image nginx:latest  analyzer=trivy app=kubeclarity
    INFO[0004] Skipping analyze unsupported source type: image  analyzer=gomod app=kubeclarity
    INFO[0004] Sending successful results                    analyzer=syft app=kubeclarity
    INFO[0004] Got result for job "syft"                     app=kubeclarity
    INFO[0004] Got result for job "gomod"                    app=kubeclarity
    INFO[0004] Sending successful results                    analyzer=trivy app=kubeclarity
    INFO[0004] Got result for job "trivy"                    app=kubeclarity
    INFO[0004] Skip generating hash in the case of image    
    INFO[0004] Exporting analysis results to the backend: localhost:8080  app=kubeclarity
    
  3. Now you can see the exported results on the UI, on the Dashboard and the Packages pages.

    Exported results

Run multiple generators

You can list the content analyzers to use using the ANALYZER_LIST environment variable separated by a space (ANALYZER_LIST="<analyzer 1 name> <analyzer 2 name>"). For example:

ANALYZER_LIST="syft gomod" kubeclarity-cli analyze --input-type image nginx:latest -o nginx.sbom

OpenClarity content analyzer integrates with the following SBOM generators: