SBOM
Generate an SBOM document from a local file system.
Prerequisites
Feature availability: This feature is available to customers on Snyk Enterprise plans.
Note: In order to use the SBOM generation feature, you must use a minimum of CLI version 1.1071.0.
The snyk sbom
feature requires an internet connection.
Usage
$ snyk sbom --format=<cyclonedx1.4+json|cyclonedx1.4+xml|cyclonedx1.5+json|cyclonedx1.5+xml|cyclonedx1.6+json|cyclonedx1.6+xml|spdx2.3+json> [--org=<ORG_ID>] [--file=<FILE>] [--unmanaged] [--dev] [--all-projects] [--name=<NAME>] [--version=<VERSION>] [--exclude=<NAME>[,<NAME>...]] [--detection-depth=<DEPTH>] [--prune-repeated-subdependencies|-p] [--maven-aggregate-project] [--scan-unmanaged] [--scan-all-unmanaged] [--sub-project=<NAME>] [--gradle-sub-project=<NAME>] [--all-sub-projects] [--configuration-matching=<CONFIGURATION_REGEX>] [--configuration-attributes=<ATTRIBUTE>[,<ATTRIBUTE>]] [--init-script=<FILE>] [--json-file-output=<OUTPUT_FILE_PATH>] [<TARGET_DIRECTORY>]
Description
The snyk sbom
command generates an SBOM for a local software project in an ecosystem supported by Snyk.
Supported formats include CycloneDX v1.4 (JSON or XML), CycloneDX v1.5 (JSON or XML), CycloneDX v1.6 (JSON or XML), and SPDX v2.3 (JSON).
An SBOM can be generated for all supported Open Source package managers as well as unmanaged software projects.
Exit codes
Possible exit codes and their meaning:
0: success (process completed), SBOM created successfully
2: failure, try to re-run the command. Use -d
to output the debug logs.
Debug
Use the -d
or --debug
option to output the debug logs.
Options
--format=<cyclonedx1.4+json|cyclonedx1.4+xml|cyclonedx1.5+json|cyclonedx1.5+xml|cyclonedx1.6+json|cyclonedx1.6+xml|spdx2.3+json>
--format=<cyclonedx1.4+json|cyclonedx1.4+xml|cyclonedx1.5+json|cyclonedx1.5+xml|cyclonedx1.6+json|cyclonedx1.6+xml|spdx2.3+json>
Required. Specify the output format for the SBOM to be produced.
Set the desired SBOM output format. Available options are cyclonedx1.4+json
, cyclonedx1.4+xml
, cyclonedx1.5+json
, cyclonedx1.5+xml
, cyclonedx1.6+json
, cyclonedx1.6+xml
, and spdx2.3+json
[--org=<ORG_ID>]
[--org=<ORG_ID>]
Specify the <ORG_ID>
(name or UUID) to run Snyk commands tied to a specific Snyk Organization. The <ORG_ID>
influences some features availability and private test limits.
Use this option when your default Organization does not have API entitlement.
If this option is omitted, the default Organization for your account will be used.
This is the <ORG_ID>
that is the current preferred Organization in your Account settings
Set a default to ensure all newly tested projects are tested under your default Organization. If you need to override the default, use the --org=<ORG_ID>
option.
If you have multiple Organizations, you can set a default from the CLI using:
$ snyk config set org=<ORG_ID>
Note: You can also use --org=<orgslugname>.
The ORG_ID
works in both the CLI and the API. The organization slug name works in the CLI, but not in the API.
For more information, see the article How to select the Organization to use in the CLI
[--file=<file>] or [--f=<file>]
[--file=<file>] or [--f=<file>]
Specify the desired manifest file on which the SBOM will be based.
By default, the sbom
command detects a supported manifest file in the current working directory.
[--unmanaged]
[--unmanaged]
Generate an SBOM for unmanaged software projects.
[--dev]
[--dev]
Include development-only dependencies in the SBOM output.
Applicable only for some package managers, for example, devDependencies
in npm or :development
dependencies in Gemfile.
When --dev
is used with the SPDX format, the development-only dependencies are included in the DEV_DEPENDENCY_OF
relationship.
When --dev
is used with the CycloneDX format, development-only dependencies are not labeled differently from non-