Skip to content

cncf/sbom

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,809 Commits
.github/workflows
.github/workflows
 
 
.idea
.idea
 
 
sbom
sbom
 
 
util
util
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CNCF Projects Supply Chain & SBOM Generator

⚠️ DISCLAIMER

IMPORTANT NOTICE:

The Software Bill of Materials (SBOM) files generated by this project are automatically generated by the CNCF and are NOT official SBOMs provided by the individual CNCF projects themselves.

  1. No Warranty: These SBOMs are provided "AS IS" without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and noninfringement.

  2. No Guarantee of Completeness or Accuracy: We make no representations or guarantees regarding the completeness, accuracy, reliability, or currentness of the information contained in these SBOMs. The automated generation process may miss dependencies, include incorrect versions, or contain other errors.

  3. Use at Your Own Risk: Any use of these SBOMs is entirely at your own risk. This project, its contributors, and maintainers shall not be liable for any claims, damages, or other liability arising from the use of these SBOMs.

  4. Not a Substitute for Official SBOMs: For production use, compliance requirements, or security audits, please refer to the official documentation and releases of each individual CNCF project.

  5. Automated Generation: These SBOMs are generated using the kubernetes-sigs/bom tool and go-licenses for license detection. The generation process runs weekly and only processes Go-based projects.

Overview

This tool generates Software Bill of Materials (SBOM) in SPDX JSON format for CNCF projects and uploads them to OCI-compatible S3 storage.

The SBOM generator:

  • Automatically syncs the list of CNCF projects from the CNCF Landscape
  • Discovers additional subproject repositories within CNCF GitHub organizations
  • Fetches stable releases (major, minor, patch) from CNCF project repositories
  • Only processes Go-based projects (repositories containing go.mod or go.sum)
  • Skips alpha, beta, RC, and other pre-release versions
  • Generates SPDX-compliant SBOM files using the kubernetes-sigs/bom tool
  • Enriches SBOMs with license information using google/go-licenses
  • Uploads SBOMs directly to OCI S3-compatible buckets (no SBOM files are stored in this repository)

Storage

Generated SBOMs are stored in two OCI S3-compatible buckets:

Bucket Content
cncf-project-sboms Official CNCF project SBOMs
cncf-subproject-sboms Subproject / discovered repo SBOMs

S3 Object Naming Convention

Projects:

<project>/<version>/<project>_<version>_spdx.json

Example: coredns/1.12.0/coredns_1_12_0_spdx.json

Subprojects:

<parent-project>/<repo>/<version>/<parent-project>_<repo>_<version>_spdx.json

Example: higress/IOC-golang/1.0.0/higress_ioc-golang_1_0_0_spdx.json

Note: Dots in version numbers are replaced with underscores in the filename to avoid potential issues.

Repository Structure

This repository contains only tooling and configuration — no SBOM data files.

./
├── README.md                           # This file
├── .gitignore                          # Excludes generated SBOM data
├── .github/workflows/
│   ├── sync-cncf-projects.yml          # Sync CNCF project list from landscape
│   ├── discover-cncf-repos.yml         # Discover subproject repos in CNCF orgs
│   ├── generate-sbom.yml               # Generate SBOMs and upload to S3
│   ├── reusable-generate-sbom.yml      # Reusable workflow for subproject batches
│   └── migrate-sboms-to-oci.yml        # One-time migration of legacy repo SBOMs to S3
└── util/
    ├── data/
    │   ├── cncf-projects.yaml          # Auto-synced CNCF project list (DO NOT EDIT)
    │   └── discovered-repos.yaml       # Subproject repos found in CNCF orgs (DO NOT EDIT)
    ├── extract-projects/               # Go tool to sync projects from CNCF landscape
    ├── discover-repos/                 # Go tool to find subproject repos in CNCF orgs
    ├── generate-index/                 # Go tool to generate an index of SBOMs
    ├── ingest-sbom-oci.sh              # Script to upload local SBOMs to OCI buckets
    ├── generate-sbom-local.sh          # Local testing script (Linux/macOS)
    └── generate-sbom-local.ps1         # Local testing script (Windows)

GitHub Actions Workflows

1. Sync CNCF Projects (sync-cncf-projects.yml)

Automatically syncs the list of CNCF projects from the official landscape.

  • Scheduled: Daily at 03:00 UTC
  • Manual trigger: Via workflow_dispatch
  • Output: util/data/cncf-projects.yaml

2. Discover Additional Repos (discover-cncf-repos.yml)

Scans GitHub organizations of CNCF projects to find additional subproject repositories with releases.

  • Scheduled: Weekly on Monday at 04:00 UTC
  • Manual trigger: Via workflow_dispatch
  • Output: util/data/discovered-repos.yaml

This workflow finds subproject repositories that:

  • Belong to the same GitHub org/user as a CNCF project
  • Have at least one release
  • Contain a go.mod file (Go-based project)
  • Are not forks, archived, or disabled

3. Generate SBOMs (generate-sbom.yml)

Generates SBOMs for CNCF projects and uploads them directly to OCI S3 buckets.

  • Scheduled: Weekly on Sunday at 02:00 UTC (processes only releases from the past week)
  • Manual trigger: Via workflow_dispatch with optional filters
Input Description Default
project_filter Filter by owner/repo (e.g., "coredns/coredns") empty (all projects)
force_regenerate Force regenerate existing SBOMs false
releases_mode recent (past week) or latest (N latest releases) recent
max_releases Max releases per repo (only for latest mode) 3
source all, cncf, or discovered all

How it works:

  1. Prepares a matrix of repositories from cncf-projects.yaml and discovered-repos.yaml
  2. Each matrix job generates SBOMs locally using bom and go-licenses
  3. Generated SBOMs are immediately uploaded to the corresponding S3 bucket
  4. No files are committed to the repository

4. Migrate SBOMs to OCI (migrate-sboms-to-oci.yml)

One-time / on-demand migration of any legacy SBOM files from the repository into OCI S3 buckets.

  • Manual trigger only: Via workflow_dispatch
  • Skips objects that already exist in the bucket (unless FORCE is set)
  • Uses util/ingest-sbom-oci.sh

Required GitHub Secrets & Variables

The following must be configured in the repository settings:

Secrets:

Secret Description
OCI_S3_ACCESS_KEY S3-compatible access key for OCI Object Storage
OCI_S3_SECRET_KEY S3-compatible secret key for OCI Object Storage

Variables:

Variable Description Example
OCI_S3_ENDPOINT S3-compatible endpoint URL https://axtwf1hkrwcy.compat.objectstorage.us-sanjose-1.oraclecloud.com
OCI_S3_REGION S3 region us-sanjose-1
OCI_PROJECT_BUCKET Bucket name for project SBOMs cncf-project-sboms
OCI_SUBPROJECT_BUCKET Bucket name for subproject SBOMs cncf-subproject-sboms

Running the Workflow Manually

  1. Go to Actions tab in GitHub
  2. Select "Generate SBOM for CNCF Projects"
  3. Click "Run workflow"
  4. Optionally specify a project filter or change the releases mode

Utility Tools

extract-projects

Go tool that downloads the CNCF landscape and extracts all projects with status graduated, incubating, or sandbox.

cd util/extract-projects
go run . ../data/cncf-projects.yaml

discover-repos

Go tool that scans GitHub organizations of CNCF projects to find additional subproject repositories with releases.

cd util/discover-repos
go run . /path/to/cncf-automation

The tool will:

  • Read the list of CNCF projects from cncf-projects.yaml
  • Scan each unique GitHub organization/user
  • Find subproject repos that have releases and contain go.mod
  • Output results to discovered-repos.yaml

ingest-sbom-oci.sh

Script to upload local SBOM files to OCI S3 buckets. Supports both OCI CLI and S3-compatible auth modes.

# Using S3 auth (recommended for CI)
./util/ingest-sbom-oci.sh \
  --auth-mode s3 \
  --s3-endpoint https://axtwf1hkrwcy.compat.objectstorage.us-sanjose-1.oraclecloud.com \
  --s3-access-key "$ACCESS_KEY" \
  --s3-secret-key "$SECRET_KEY"

# Dry run to preview uploads
./util/ingest-sbom-oci.sh --dry-run

# Force overwrite existing objects
./util/ingest-sbom-oci.sh --force

Credentials can also be provided via environment variables or a .env.sbom / .env file.

Local Testing

Prerequisites

Bash Script (Linux/macOS/WSL)

# Process all projects
./util/generate-sbom-local.sh

# Process specific repo
./util/generate-sbom-local.sh coredns/coredns

# Force regenerate
./util/generate-sbom-local.sh --force coredns/coredns

# Set max releases per repo (default: 3)
MAX_RELEASES=5 ./util/generate-sbom-local.sh

PowerShell Script (Windows)

# Process all projects
.\util\generate-sbom-local.ps1

# Process specific repo
.\util\generate-sbom-local.ps1 -ProjectFilter "coredns/coredns"

# Force regenerate
.\util\generate-sbom-local.ps1 -Force -ProjectFilter "coredns/coredns"

# Set max releases per repo
.\util\generate-sbom-local.ps1 -MaxReleases 5

Environment Variables

Variable Description
GH_TOKEN or GITHUB_TOKEN GitHub token for API access (recommended for higher rate limits)
MAX_RELEASES Maximum releases to process per repo (default: 3, bash only)

Project List

CNCF projects are automatically synced from the official CNCF Landscape.

Projects with the following status are included:

  • graduated
  • incubating
  • sandbox

Note: You do not need to manually add projects. The sync workflow runs daily and updates the project list automatically. If a project is missing, ensure it is properly listed in the CNCF Landscape with the correct project status.

Release Filtering

The generator only processes stable releases:

Included:

  • Full releases (e.g., v1.0.0, v2.5.3)
  • Releases marked as non-prerelease and non-draft in GitHub

Excluded:

  • Alpha releases (e.g., v1.0.0-alpha.1)
  • Beta releases (e.g., v1.0.0-beta.2)
  • Release candidates (e.g., v1.0.0-rc1)
  • Development versions (e.g., v1.0.0-dev)
  • Snapshots, nightly, canary builds
  • Draft releases

SBOM Format

Generated SBOMs are in SPDX 2.3 JSON format, containing:

  • Package information with CNCF project metadata
  • File listings with checksums
  • Dependency relationships
  • License information extracted via go-licenses

Example SBOM Metadata

Each SBOM includes enriched metadata:

  • CNCF project name and status
  • GitHub repository URL
  • Release tag and URL
  • Generation timestamp
  • Tool information

Troubleshooting

Rate Limiting

If you encounter GitHub API rate limits:

  1. Set the GH_TOKEN environment variable with a valid GitHub token
  2. Run gh auth login to authenticate the GitHub CLI

bom Tool Installation Fails

Ensure Go is properly installed and GOPATH/bin is in your PATH:

go install sigs.k8s.io/bom/cmd/bom@latest
export PATH=$PATH:$(go env GOPATH)/bin

Clone Failures

Some repositories may have protected tags or require authentication. The script will skip these and continue with other releases.

Non-Go Projects Skipped

The SBOM generator currently only supports Go-based projects. Projects without go.mod or go.sum in their root directory are automatically skipped.

S3 Upload Issues

If uploads fail with MissingContentLength, ensure the AWS CLI version is up to date and the AWS_REQUEST_CHECKSUM_CALCULATION=when_required environment variable is set.

Contributing

  1. Fork the repository
  2. Make your changes
  3. Test locally with the provided scripts
  4. Submit a pull request

For issues with specific CNCF projects, please contact the respective project maintainers directly.

About

House of SBOMs (and tooling)

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

9 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages