Containers are the standard to run server applications these days, so you likely have many SBOM to transfer to Dependency Track SaaS. Luckily the extraction of software packaged as containers or docker containers is fast and super easy.

In the example below we will illustrate the SBOM generation from a docker image and its transfer to Dependency Track SaaS. To generate the SBOM from any piece of software use one of the approaches described this cheat sheet.

Docker SBOM transfer

To automate the transfer we need to associate the SBOM file with a project in Dependency Track. There are several ways, including the automatic creation of a new project.

In the most likely scenario, we will assume that you already have a project in Dependency Track and that you wish to update its list of components. For this, the easiest is to link the SBOM with the project UUID of Dependency Track.

The script below will do the SBOM extraction from a local docker registry and transfer to your Dependency Track tenant. You would run it with something like alpine:latest 29cd2fb7-db8c-4513-8c6c-ffb4443be67f. The Dependency Track project UUID to use can be found in the object identifier of the project details.

Obviously, you should modify the script and replace your <YourPrefixDomain> and <YourApiKey> at lines 9 and 10 with the values your received after ordering your SaaS subscription.


if [ "$#" -ne 2 ]; then
  echo "$0 <dockerImage> <depTrackProjectUuid>"
  exit -1

# REPLACE HERE-------------------------
# END REPLACE--------------------------

SCRIPT_PATH=$(dirname -- "$(readlink -f "${BASH_SOURCE}")")

echo -n "Extracting SBOM..." 
 && $SCRIPT_PATH/ scan "registry:$1" -o cyclonedx-json > $sbom 
 && echo -ne " done\nSending SBOM..." 
 && curl -X POST -H "X-API-Key: $apiKey" 
         -H 'Content-Type: multipart/form-data; boundary=__X_BOM__' 
         -F "bom=@$sbom" 
         -F "project=$project" 
 && echo -e " sent\n\nCleaning..." 
 && rm $sbom

You may have noticed that the above script is not using the experimental command docker sbom command but our script which does the same in a much more sustainable way.

CI/CD plugins

In your CI/CD, you can easily reuse the curl transfer part of the above script. The SBOM transfer can be made even simpler with one of the following open-source plugins:

Additionally the following plugins might come in handy for other automations scenarios, for example to implement policies based on vulnerability analysis:

  • dtapac audits dependency-track findings and policy violations via policy as code
  • DTrackAuditor can fails CI build based on vulnerability severity or policy violations

Other possible scenarios

With the docker SBOM example shown above, we have just scratched the surface, there are many automation scenarios possible. It can serve you as a template to get started. With a few adaptations, you can generate the SBOM from other sources as described in the cheat sheet.

Other options of transfer are possible, please refer to our API documentation.

We gladly help on any SBOM transfer issue.
Let us know how we can help !

Contact us

Copyright © 2024 LLC. All rights reserved.

Cookie-free website powered using renewable energy