sbom¶
Download an image from storage and generate a Software Bill of Materials using Trivy.
The reference must include an explicit tag. Both s3:// and local:// references are supported.
Flags¶
| Flag | Default | Description |
|---|---|---|
--format |
cyclonedx |
SBOM output format: cyclonedx, spdx-json, spdx |
--platform |
host | Platform for a multi-arch image (e.g. linux/amd64) |
--install-trivy |
false | Install Trivy automatically without prompting |
-o, --output |
stdout | Write SBOM to a file instead of stdout |
Trivy auto-install¶
If Trivy is not found on PATH or in ~/.local/bin/, s3lo prompts you:
Press Enter or Y to install. The latest Trivy release is downloaded from GitHub for your OS and architecture.
In CI (non-TTY), the prompt is skipped — s3lo exits with an error and suggests --install-trivy:
Pass --install-trivy in CI to enable auto-install:
Examples¶
Basic SBOM (CycloneDX, printed to stdout):
Write CycloneDX SBOM to a file:
SPDX JSON format:
SPDX tag-value format:
Multi-arch image — select a specific platform:
Output¶
When -o/--output is omitted, the SBOM is written to stdout so it can be piped or redirected:
Progress output (the download bar) is written to stderr so it does not pollute the SBOM data on stdout.
When an output file is specified, both the progress bar and a completion message are written to stdout:
GitHub Actions example¶
- uses: OuFinx/s3lo-action@v1
with:
role-to-assume: arn:aws:iam::123456789012:role/ci-s3lo-role
aws-region: us-east-1
- name: Generate SBOM
run: |
s3lo sbom s3://my-bucket/${{ github.repository }}:${{ github.sha }} \
--format cyclonedx \
-o sbom.cdx.json \
--install-trivy
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.cdx.json