SBOM generation for software products

For software products (applications, containers, libraries, and services), SBOM generation is straightforward using the CRA Evidence CLI.

Container images (recommended)

Syft provides excellent SBOM coverage for container images because it can read package manager layer metadata (dpkg, apk, rpm) directly from the image filesystem.

craevidence upload-sbom \
  --product my-api \
  --version 3.2.1 \
  --image my-org/my-api:3.2.1 \
  --product-type software \
  --scan

This command:

1. Pulls the image (or uses a locally available one)
2. Runs Syft to generate a CycloneDX SBOM
3. Uploads the SBOM to CRA Evidence
4. Triggers a vulnerability scan

Source directories

For non-containerised applications (a Node.js app directory, a Python project, a Go module):

craevidence upload-sbom \
  --product my-service \
  --version 1.0.0 \
  --source ./src/ \
  --product-type software \
  --scan

Syft scans the directory and detects package manager lock files (package-lock.json, requirements.txt, go.sum, pom.xml, etc.) to build a complete dependency list.

Pre-built SBOMs

If your build system already generates an SBOM (e.g., CycloneDX from Maven or Gradle, SPDX from npm), upload it directly:

craevidence upload-sbom \
  --product my-java-app \
  --version 2.0.0 \
  --file target/bom.json \
  --product-type software \
  --scan

Supported formats: CycloneDX JSON and SPDX JSON.

Build-system integration

CI/CD integration

# GitHub Actions example
- name: Upload SBOM
  run: |
    craevidence upload-sbom \
      --product ${{ env.PRODUCT_SLUG }} \
      --version ${{ github.ref_name }} \
      --image ${{ env.DOCKER_IMAGE }}:${{ github.sha }} \
      --product-type software \
      --scan
  env:
    CRA_EVIDENCE_API_KEY: ${{ secrets.CRA_EVIDENCE_API_KEY }}
    CRA_EVIDENCE_URL: https://api.craevidence.com

Next steps

• SBOM Guide: general SBOM management
• SBOM Generation for Hardware: firmware and embedded systems
• CI/CD Integration: full pipeline setup