Integrating SBOM Observer with CI/CD Pipelines

Streamline your development workflow by integrating SBOM Observer with CI/CD pipelines. This guide provides straightforward steps to connect SBOM Observer with tools like Trivy and GitHub Actions, enhancing your software's security throughout its development and lifecycle.


Before diving into the integration process, ensure you meet the following prerequisites:

  1. SCA Tool Compatibility: Your Software Composition Analysis (SCA) tool must be capable of generating SBOM files. We support any SCA tool that can produce SBOMs in either the CycloneDX or SPDX formats. Navigate to Coverage and Compatibility for more details.

  2. CI/CD Platforms: Integration supports GitHub Actions but you can always integrate using API integration. Ensure your development process uses one of these platforms for a seamless integration experience.

Integrating SBOM Observer with GitHub Actions for CI/CD Automation

SBOM Observer, integrated seamlessly with GitHub Actions, provides a streamlined solution to generate and manage Software Bills of Materials (SBOMs) for your applications. This guide walks you through the steps to integrate SBOM Observer using GitHub Actions.

Step 1: Accessing SBOM Observer GitHub Action

The SBOM Observer GitHub Action is readily available on the GitHub Marketplace. You can find it here, complete with comprehensive documentation outlining all the necessary input parameters for your workflow configuration.

Step 2: Setting Up Your GitHub Workflow

To start automating SBOM generation and upload with SBOM Observer, you’ll need to configure your GitHub Actions workflow. Below is an exemplary setup:

name: Generate and Upload SBOM file to SBOM Observer

      - main

    runs-on: ubuntu-latest
      - name: Checkout code
        uses: actions/checkout@v4

      - name: SBOM Observer Scan and Upload
        uses: observer-actions/create-sbom@v1
          token: ${{ secrets.SBOM_OBSERVER_TOKEN }}
          path: ./
          namespace: my-namespace
          name: my-component
          version: 1.0.0
          group: my-group

      - name: Status
        shell: bash
        run: |
          echo "Status: ${{ steps.create-sbom.outputs.status }}"
          echo "Attestation ID: ${{ steps.create-sbom.outputs.attestation-id }}"

In this workflow:

  • Checkout code: This step checks out your repository so that it can be accessed and used by subsequent steps.
  • SBOM Observer Scan and Upload: This step leverages the SBOM Observer GitHub Action to scan your codebase, generate an SBOM (CycloneDX 1.5), and upload it to SBOM Observer. You must provide the required parameters like the token for authentication, the path of the codebase, and details of the software component.
  • Status: This step prints out the status and attestation ID of the SBOM upload, providing clear feedback on the operation's result.

Step 3: Automating Your Software Security

With your workflow configured and in action, every push to the main branch of your repository will trigger the SBOM generation and upload process. This ensures that your software inventory is consistently monitored and analyzed for vulnerabilities, providing you with real-time insights and recommendations for maintaining a secure software supply chain.

API Integration via cURL

Integrating your system with SBOM Observer through our API is a straightforward process. Below is a comprehensive description that details the required input fields and a cURL command example to upload your Software Bill of Materials (SBOM) effectively.


Before proceeding with the API integration, ensure that you have generated an Access Token within SBOM Observer.

API Endpoint

The public API endpoint for uploading an attestation is${NAMESPACE}/attestations

Authorization is performed using HTTP Bearer tokens. I.e. using cURL:

  curl -H "Authorization: Bearer ${OBSERVER_TOKEN}" ...
OBSERVER_TOKENThe SBOM Observer API token used for authentication with the SBOM Observer.
NAMESPACEThe specific namespace within SBOM Observer where the SBOM will be placed. Initial namespace is named default

API Parameters

filesThe SBOM files to be ingested.YesN/A
nameOptionally overrides the Name attribute for the top-level component in the SBOM.NoN/A
versionOptionally overrides the Version attribute for the top-level component in the SBOM.NoN/A
groupOptionally overrides the Group attribute for the top-level component in the SBOM.NoN/A
retention-policySets a retention policy for managing SBOM records within SBOM Observer post-upload.NoN/A
retention-keepConfigures the retention policy to keep the last N attestations based on specific criteria.NoN/A
retention-keep-dependenciesConfigures the retention policy to maintain attestations for components with dependencies.Nofalse

API Parameters are passed as form fields in a multipart/form-data request.

API Access Example Using cURL

To upload an SBOM file to SBOM Observer, use the following cURL syntax:

curl -F files=@$INPUT_FILE \
  -F 'name=${name}' \
  -F 'version=${version}' \
  -F 'group=${group}' \
  -F 'retention-policy=${retention_policy}' \
  -F 'retention-keep=${retention_keep}' \
  -F 'retention-keep-dependencies=${retention_keep_dependencies}' \
  -H 'Content-Type: multipart/form-data' \
  -H "Authorization: Bearer ${OBSERVER_TOKEN}" \

Example cURL Command

Below is an example of how to upload an SBOM using the cURL command:

curl -F files=@path/to/your/sbom.json \
  -F 'name=MyApplication' \
  -F 'version=1.2.3' \
  -F 'group=backend-service' \
  -H 'Content-Type: multipart/form-data' \
  -H "Authorization: Bearer pat-12345678-1234-1234-12345-123456789123" \

By following these instructions, you should be able to seamlessly integrate SBOM Observer's API into your workflows using cURL commands.

Retention Policy

If left unspecified, the default retention policy is to keep all SBOMs indefinitely. The basic retention policy can be configured using the parameters retention-keep and retention-keep-dependencies parameters.

Example to keep last 3 attestations:

curl  -F files=@./my-sbom.cdx \
  -F 'retention-policy=basic' \
  -F 'retention-keep=3' \
  -H 'Content-Type: multipart/form-data' \
  -H "Authorization: Bearer pat-12345678-1234-1234-12345-123456789123" \