A command-line tool for uploading SBOM (Software Bill of Materials) files to bifrost.
This repository contains the bifrost-cli, which lets you submit SBOMs for a specific service and version to your bifrost organization. It is intended for local automation and CI/CD workflows where you already produce SBOMs as part of your build pipeline.
bifrost helps teams understand and reduce real workload risk with runtime security for containerized applications.
Learn more:
- Website: bifrostsec.com
- Documentation: docs.bifrostsec.com
- Portal: portal.bifrostsec.com
To use the CLI, you first need a bifrost account and an API token.
-
Create an account or sign in to the bifrost portal.
-
Create an API token for your organization in the organization settings.
-
Choose how you want to install the CLI.
brew install bifrostsec/tap/bifrost-cli
This installs the
bifrostcommand from the bifrostsec/homebrew-tap tap. To update later:brew update brew upgrade bifrost-cli
(Windows is not covered by Homebrew — use one of the options below.)
# Example for macOS on Apple Silicon curl -L -o bifrost https://github.com/bifrostsec/bifrost-cli/releases/latest/download/bifrost-darwin-arm64 chmod +x ./bifrostmacOS note: the current macOS release binaries are not signed with an Apple Developer certificate. When you first run
./bifrost, macOS may block it with a warning such as:“bifrost” Not Opened
Apple could not verify “bifrost” is free of malware that may harm your Mac or compromise your privacyTo allow the binary to run on macOS:
- Try to run
./bifrostonce so macOS registers the blocked executable. - Open
System Settings>Privacy & Security. - Scroll down to the
Securitysection and clickAllow Anywayforbifrost. - Confirm with your login password if prompted.
- Run
./bifrostagain.
The
Allow Anywaybutton is only shown for a limited time after the blocked launch attempt, so if you do not see it, run./bifrostagain and return toPrivacy & Security.Release assets are published at:
Available executable names include:
bifrost-darwin-amd64bifrost-darwin-arm64bifrost-linux-amd64bifrost-linux-arm64bifrost-windows-386bifrost-windows-amd64
make build
- Try to run
-
Upload an SBOM for a service and version:
BIFROST_API_KEY=my-key ./bifrost --service=name --service-version=34ha353 sbom upload /path/to/sbom.jsonThe API token is sent as a bearer token when the CLI uploads the SBOM.
The CLI uploads one or more SBOM files and associates them with a bifrost service and service version.
./bifrost --service=my-service --service-version=1.2.3 sbom upload /path/to/sbom.jsonYou can also read an SBOM from standard input by using - as the path:
cat /path/to/sbom.json | ./bifrost --service=my-service --service-version=1.2.3 sbom upload -You can control retry behavior for transient upload failures:
./bifrost --service=my-service --service-version=1.2.3 --retry-attempts=5 --retry-delay=5s sbom upload /path/to/sbom.jsonYou can attach Git metadata to the upload request:
./bifrost --service=my-service --service-version=1.2.3 --git-branch=main --git-commit-sha=abc123 --git-origin=https://github.com/example/project.git sbom upload /path/to/sbom.jsonExample with Trivy generating a CycloneDX SBOM for a container image and piping it directly to bifrost:
trivy image --format cyclonedx <image> | ./bifrost --service=my-service --service-version=1.2.3 sbom upload -Example with GitHub CLI exporting the repository dependency graph SBOM and piping the SPDX document to bifrost:
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2026-03-10" \
/repos/OWNER/REPO/dependency-graph/sbom \
--jq '.sbom' | ./bifrost --service=my-service --service-version=1.2.3 sbom upload -You can provide the API token through:
- The
BIFROST_API_KEYenvironment variable - The
--api-keyflag
- Website: bifrostsec.com
- Documentation: docs.bifrostsec.com
- Releases: github.com/bifrostsec/bifrost-cli/releases/latest
- Getting started guide: docs.bifrostsec.com/guides/get-started
- SBOM reference: https://docs.bifrostsec.com/reference/sbom/
- API reference: docs.bifrostsec.com/api/v2
- Portal: portal.bifrostsec.com
Apache-2.0. See LICENSE.