Fetching SBOM

What is SBOM?

An SBOM is a formal list that enumerates the components and dependencies of a software package. It provides a comprehensive inventory of the software components that are present in the package, including open-source software, commercial components, and proprietary code.

SBOMs are essential for software security and compliance because they enable users to identify vulnerabilities and track the origins of software components. By providing an SBOM for our Docker images, we enable our users to have better visibility into the software components used in our product.

Downloading the Cimon SBOM

To download the full SBOM file for the Cimon image, you can use the cosign tool. Here are the steps to follow:

Install the cosign tool by following the instructions provided in the official cosign documentation: https://github.com/sigstore/cosign#installation
Downloading the SBOM for the desired image:

Downloading Cimon SBOM
cosign download sbom cycodelabs/cimon:<version> > cimon-<version>.sbom.spdx.json

note

Replace "version" with the version of Cimon image you want to download the SBOM file for. You can identify the latest version of Cimon used by inspecting the tags in https://github.com/cycodelabs/cimon-action/tags

The SBOM file will be downloaded and saved in the current working directory with the name cimon-<version>.sbom.spdx.json.

Cimon SBOM
$ cat cimon-<version>.sbom.spdx.json
{
 "SPDXID": "SPDXRef-DOCUMENT",
 ...
}

What is SBOM?​

Downloading the Cimon SBOM​

What is SBOM?

Downloading the Cimon SBOM