Ingest Software Bill of Materials (SBOM) data into SCS

A Software Bill of Materials (SBOM) is a list of all the components, libraries, and other dependencies used in a software application. While Harness SCS enables you to generate SBOMs, it also supports the ingestion of SBOMs in JSON, SPDX or CycloneDx formats, generated by any third-party tool.

This document provides a step-by-step guide to configuring the SBOM Orchestration step within SCS to seamlessly ingest SBOMs. To illustrate the process, we'll walk through generating an SBOM using the Trivy CLI in a CI Run step, followed by its ingestion using the SBOM Orchestration step.

info

If you are utilizing STO Steps to generate the SBOM and wish to ingest it, please refer:

• Ingest results from a Blackduck STO scan step.
• Ingest results from an Aqua Trivy STO scan step.

Generate the keys for SBOM Attestation - optional

For enhanced trust and verification of your SBOM's integrity, the SBOM Orchestration step offers optional signing and attestation generation feature. This functionality requires a private key, password for attestation and corresponding public key for attestation verification. If you choose to skip the SBOM attestation, you can proceed without generating the and storing these keys.

1. Generate the keys: Begin by generating the keys using Cosign.

   1. Install Cosign
   2. Run the command cosign generate-key-pair to generate the key pair in the ecdsa-p256 format.
   3. Make sure to note the password used for generating the key pairs. This password is needed along with the private key for performing the attestation.
   4. This command will generate a private key as a .key file and a public key as a .pub file.

2. Securely store the keys: Safeguard the generated keys by securely storing them as Harness file secrets. The SCS module also supports HashiCorp Vault, allowing you to use your keys from the vault.

Configure your pipeline to ingest SBOM

1. In your Harness pipeline, Navigate to the stage where you want to ingest the SBOM, and select the Overview tab.

2. In Shared Paths, enter a path to a location where your SBOM can be stored on the build machine, such as /shared/customer_artifacts.

   

3. Add a step to your stage that generates an SBOM, such as a Run, Plugin, or GitHub Action step.

   For example, this Run step uses Aqua Trivy to generate an SBOM.

    trivy image \
     --format spdx-json \
     --output /shared/customer_artifacts/result.spdx.json \
     ubuntu:22.04
   
   tip

   You can also configure pipelines to ingest SBOM from STO scanner steps.

4. If your SBOM tool can't output directly to your Shared Path, then add commands or a Run step to copy the SBOM into the directory specified in Shared Paths.

5. Add an SBOM Orchestration step configured to ingest the SBOM:

info

SBOM Orchestration step in deploy stage can only be used in the Containerized Step Groups

• Step Mode: Set the step mode to Ingestion.
• SBOM File Path: enter the path to the SBOM file generated by your SBOM tool.
• Source: Set the source, which can be DockerHub, ECR, GCR, ACR or Repository. Depending on your selection, a unique set of fields will appear, each specific to the source you've chosen. Address these fields as required, this is similar to configuring the source in SBOM Orchestration step. For more details of what each field entails, please refer to the documentation on SBOM Orchestration. If you are using DockerHub, you can follow along.
• Image:, Enter the name of your image with tag, such as my-docker-org/repo-name:tag.

Generate key pairs using Cosign for SBOM Attestation

To perform the attestation process, you need to input the private key and password. Use Cosign to generate the keys in the ecdsa-p256 format. Here’s how to generate them:

1. Install Cosign
2. Run the command cosign generate-key-pair to generate the key pairs.
3. Make sure to note the password used for generating the key pairs. This password is needed along with the private key for performing the attestation.
4. This command will generate a private key as a .key file and a public key as a .pub file. To securely store these files, use Harness file secret.

• Private Key (optional): Input your Private key from the Harness file secret.

• Password (optional): Input your Password for the Private key from the Harness file secret.

Run the pipeline

​ When the pipeline runs, the SBOM Orchestration step performs the following actions:

• Ingests the SBOM to SCS module.
• Specifically for Containers:
  • Generates and signs an attestation using the provided private key and password.
  • Stores the SBOM in Harness and uploads the .att file to your container registry.

SBOMs for both Containers and Code Repositories are accessible in the Artifacts view. Additionally, you can locate the SBOM for any artifact on the Supply Chain tab within the Execution Details page in Harness. For detailed insights, please refer to the view pipeline execution results documentation.