Skip to content

sbom — SBOM Generation & Sigstore Attestation

Generates a CycloneDX 1.5 Software Bill of Materials (SBOM) from your project's lock file. No internet access required — the lock file is parsed locally.

Optionally signs the SBOM using Sigstore keyless signing (--attest) and verifies signed SBOMs (--verify). This covers SLSA Level 2+ provenance requirements and the EU Cyber Resilience Act's software provenance requirements.

Usage

greengate sbom [OPTIONS]

Options:
  -o, --output <FILE>                    Write SBOM to a file instead of stdout
                                         (default when --attest is set: sbom.json)
      --attest                           Sign the generated SBOM with Sigstore
                                         keyless signing via cosign
      --bundle <FILE>                    Path for the cosign bundle file
                                         (default: <output>.bundle.json)
      --verify <SBOM_FILE>               Verify an existing SBOM against a cosign bundle
      --certificate-oidc-issuer <ISSUER> Expected OIDC issuer for --verify
      --certificate-identity <IDENTITY>  Expected signer identity for --verify
  -h, --help                             Print help

Supported lock files

Checked in order — the first one found is used:

Lock fileEcosystempurl format
Cargo.lockcrates.iopkg:cargo/<name>@<version>
package-lock.jsonnpmpkg:npm/<name>@<version>
requirements.txtPyPIpkg:pypi/<name>@<version>
go.sumGopkg:golang/<module>@<version>

Examples

bash
# Print SBOM to stdout
greengate sbom

# Write SBOM to a file
greengate sbom --output sbom.json

# Generate and sign (writes sbom.json + sbom.json.bundle.json)
greengate sbom --attest

# Custom paths
greengate sbom --attest --output dist/sbom.json --bundle dist/sbom.bundle.json

# Verify (accepts any valid Sigstore identity)
greengate sbom --verify sbom.json

# Verify with strict policy (exact issuer + identity)
greengate sbom --verify sbom.json \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/acme/repo/.github/workflows/release.yml@refs/heads/main

Sigstore attestation (--attest)

--attest uses cosign sign-blob to sign the SBOM with keyless signing — no private key to manage or rotate. The signing identity comes from the OIDC token issued by your CI provider at build time.

What the bundle contains

The bundle file (sbom.json.bundle.json) contains three things:

FieldWhat it is
Signing certificateYour CI identity, e.g. https://github.com/acme/repo/.github/workflows/release.yml@refs/heads/main
ECDSA signatureSignature over the SHA-256 hash of the SBOM content
Rekor log entryInclusion proof in the public Rekor transparency log — anyone can verify this independently

Distribute both sbom.json and sbom.json.bundle.json alongside your release artifacts.

Requirements

Install cosign once:

bash
# macOS
brew install sigstore/tap/cosign

# Linux (download binary)
# https://github.com/sigstore/cosign/releases

# GitHub Actions (add before the greengate step)
- uses: sigstore/cosign-installer@v3

GitHub Actions — full release example

yaml
permissions:
  contents: read
  id-token: write   # required for Sigstore keyless signing

steps:
  - uses: actions/checkout@v4

  - uses: sigstore/cosign-installer@v3

  - name: Install greengate
    run: |
      curl -sL .../greengate-x86_64-unknown-linux-musl \
        -o /usr/local/bin/greengate && chmod +x /usr/local/bin/greengate

  - name: Generate and attest SBOM
    run: greengate sbom --attest --output sbom.json

  - name: Upload SBOM and bundle as release assets
    uses: softprops/action-gh-release@v2
    with:
      files: |
        sbom.json
        sbom.json.bundle.json

In GitHub Actions with id-token: write, cosign is fully non-interactive. Locally it opens a browser for a one-time OAuth flow.

Verification (--verify)

bash
# Basic — validates the certificate chain and Rekor log entry
greengate sbom --verify sbom.json --bundle sbom.json.bundle.json

# Strict — pin to your exact workflow identity
greengate sbom --verify sbom.json \
  --bundle sbom.json.bundle.json \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/acme/repo/.github/workflows/release.yml@refs/heads/main

Without --certificate-oidc-issuer / --certificate-identity, greengate accepts any valid Sigstore identity. For production pipelines always pin both to your specific workflow URL.

Setting defaults in config

toml
[sbom]
default_output    = "sbom.json"
expected_issuer   = "https://token.actions.githubusercontent.com"
expected_identity = "https://github.com/acme/repo/.github/workflows/release.yml@refs/heads/main"

With these set, greengate sbom --verify sbom.json applies the policy without repeating the flags.

Output format

The output is a CycloneDX 1.5 JSON document:

json
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:greengate-1710000000",
  "version": 1,
  "metadata": {
    "timestamp": "2026-03-06T12:00:00Z",
    "tools": [{ "vendor": "ThinkGrid Labs", "name": "greengate", "version": "0.3.2" }]
  },
  "components": [
    {
      "type": "library",
      "name": "serde",
      "version": "1.0.210",
      "purl": "pkg:cargo/serde@1.0.210",
      "scope": "required"
    }
  ]
}

Compliance context

RequirementHow greengate sbom helps
SLSA Level 2+--attest produces a signed provenance bundle anchored in the public Rekor log
EU Cyber Resilience ActSigned CycloneDX SBOM satisfies the software provenance documentation requirement
NTIA minimum elementsCycloneDX 1.5 covers all NTIA-required SBOM fields
Dependency-Track / FOSSA / GrypeCycloneDX JSON is natively accepted by all major SBOM platforms

Released under the MIT License.