github.com/goreleaser/goreleaser@v1.25.1/www/docs/customization/sbom.md (about) 1 # Cataloging artifacts 2 3 > Since: v1.2 4 5 A Software Bill of Materials (SBOM) is a description of the components that make 6 up a software artifact. 7 8 GoReleaser can create one or more SBOMs for any artifacts generated by 9 GoReleaser. 10 11 ## Usage 12 13 The artifact cataloging step can analyze one or more artifacts generated by 14 GoReleaser and output one or more SBOM files into the dist directory. 15 16 The default is configured to create an SBOM for each binary produced with 17 [Syft](https://github.com/anchore/syft). To enable artifact cataloging just add: 18 19 ```yaml 20 # .goreleaser.yml 21 sboms: 22 - artifacts: archive 23 ``` 24 25 To customize the artifact cataloging pipeline you can use the following options: 26 27 ```yaml 28 # .goreleaser.yml 29 sboms: 30 - # ID of the sbom config, must be unique. 31 # 32 # Default: 'default' 33 id: foo 34 35 # List of names of the SBOM documents created at this step 36 # (relative to the dist dir). 37 # 38 # Each element configured is made available as variables. For example: 39 # documents: ["foo", "bar"] 40 # 41 # would make the following variables that can be referenced as template keys: 42 # document0: "foo" 43 # document1: "bar" 44 # 45 # Note that multiple sbom values are only allowed if the value of 46 # "artifacts" is "any". 47 # 48 # Default: 49 # When "binary": ["{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom"] 50 # When "any": [] 51 # Otherwise: ["{{ .ArtifactName }}.sbom"] 52 # Templates: allowed 53 documents: 54 - "${artifact}.spdx.sbom" 55 56 # Path to the SBOM generator command 57 # 58 # Note: the process CWD will be set to the same location as "dist" 59 # 60 # Default: 'syft' 61 cmd: syft 62 63 # Command line arguments for the command 64 # 65 # Default: ["$artifact", "--output", "spdx-json=$document"] 66 # Templates: allowed 67 args: ["$artifact", "--output", "cyclonedx-json:$document"] 68 69 # List of environment variables that will be passed to the SBOM command as 70 # well as the templates. 71 # 72 # Default: [ "SYFT_FILE_METADATA_CATALOGER_ENABLED=true" ] 73 env: 74 - FOO=bar 75 - HONK=honkhonk 76 77 # Which artifacts to catalog. 78 # 79 # Valid options are: 80 # - any: let the SBOM tool decide which artifacts available in 81 # the cwd should be cataloged 82 # - source: source archive 83 # - package: Linux packages (deb, rpm, apk, etc) 84 # - installer: Windows MSI installers (Pro only) 85 # - diskimage: macOS DMG disk images (Pro only) 86 # - archive: archives from archive pipe 87 # - binary: binaries output from the build stage 88 # 89 # Default: 'archive' 90 artifacts: archive 91 92 # IDs of the artifacts to catalog. 93 # 94 # If `artifacts` is "source" or "any" then this fields has no effect. 95 ids: 96 - foo 97 - bar 98 ``` 99 100 ### Available variable names 101 102 These environment variables might be available in the fields that are accept 103 templates: 104 105 - `${artifact}`: the path to the artifact that will be cataloged (unless 106 "artifacts" config item is "any") 107 - `${artifactID}`: the ID of the artifact that will be cataloged (unless 108 "artifacts" config item is "any") 109 - `${document}`: the SBOM filename generated (corresponds to `${document0}` if 110 the "artifacts" config item is "any") 111 - `${document#}`: the SBOM filenames generated, where `#` corresponds to the 112 list index under the "documents" config item (e.g. `${document0}`) 113 114 ## Limitations 115 116 Container images generated by GoReleaser are not available to be cataloged by 117 the SBOM tool.