Tutorial: Export dependency list in SBOM format
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Dependency Scanning output can be exported to the CycloneDX JSON format.
This tutorial shows you how to generate a CycloneDX JSON SBOM for a pipeline, and then to upload it as a CI job artifact.
Before you begin
Set up Dependency Scanning. For detailed instructions, follow the Dependency Scanning tutorial.
Create configuration files
Create a private access token with
api
scope and theDeveloper
role.Add the token value as a CI/CD variable named
PRIVATE_TOKEN
.Create a snippet with the following code.
Filename:
export.sh
#! /bin/sh function create_export { curl --silent \ --header "PRIVATE-TOKEN: $PRIVATE_TOKEN" \ -X 'POST' --data "export_type=sbom" \ "https://gitlab.com/api/v4/pipelines/$CI_PIPELINE_ID/dependency_list_exports" \ | jq '.id' } function check_status { curl --silent \ --header "PRIVATE-TOKEN: $PRIVATE_TOKEN" \ --write-out "%{http_code}" --output /dev/null \ https://gitlab.com/api/v4/dependency_list_exports/$1 } function download { curl --header "PRIVATE-TOKEN: $PRIVATE_TOKEN" \ --output "gl-sbom-merged-$CI_PIPELINE_ID.cdx.json" \ "https://gitlab.com/api/v4/dependency_list_exports/$1/download" } function export_sbom { local ID=$(create_export) for run in $(seq 0 3); do local STATUS=$(check_status $ID) # Status is 200 when JSON is generated. # Status is 202 when generate JSON job is running. if [ $STATUS -eq "200" ]; then download $ID exit 0 elif [ $STATUS -ne "202" ]; then exit 1 fi echo "Waiting for JSON to be generated" sleep 5 done exit 1 } export_sbom
The above script works in the following steps:
- Create a CycloneDX SBOM export for the current pipeline.
- Check the status of that export, and stop when it’s ready.
- Download the CycloneDX SBOM file.
Update
.gitlab-ci.yml
with the following code.export-merged-sbom: image: alpine before_script: - apk add --update jq curl stage: .post script: - | curl --header "Authorization: Bearer $PRIVATE_TOKEN" --output export.sh --url "https://gitlab.com/api/v4/snippets/<SNIPPET_ID>/raw" - /bin/sh export.sh artifacts: paths: - "gl-sbom-merged-*.cdx.json"
Go to Build > Pipelines and confirm that the latest pipeline completed successfully.
In the job artifacts, gl-sbom-merged-<pipeline_id>.cdx.json
file should be present.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support