snyk-sbom-export
A tool to take projects that are onboarded to Snyk's dependency scanning, and generate a Software Bill of Materials (SBOM). Although this is already available through the Snyk API, this does not include licensing information.
By using snyk-sbom-export
, you will receive annotated licensing information as well as the core SBOM data.
Limitations
Note that this only supports Open Source projects, as Snyk does not support SBOM generation for non-Open Source projects. However, this may be worked on as part of this project.
Installation
This can be installed from source using:
go install gitlab.com/tanna.dev/snyk-sbom-export@latest
The minimum Go version required to run it is Go 1.21.
Usage
The SNYK_API_TOKEN
environment variable is required, and to get one, you can follow the Snyk documentation.
env SNYK_API_TOKEN=... snyk-sbom-export -orgID ... -format cyclonedx1.4+json
# alternatively
env SNYK_API_TOKEN=... snyk-sbom-export -orgID ... -format spdx2.3+json
This will then process through all projects in the Snyk organisation, defined by the -orgID
flag, and will output them in the specified SBOM format.
License
Licensed under the Apache-2.0 license.