Generate and manage SBOM
A Software Bill of Materials (SBOM) is essential for understanding the components and dependencies within an application, which in turn enables organizations to manage open-source component risks effectively.
The Harness SSCA module provides comprehensive capabilities for generating, managing, and analyzing SBOM for software artifacts.
Integration with other Harness modules and third-party tools
The SSCA module integrates with the CI and CD stages of Harness pipelines, ensuring that an SBOM is generated for every build of your software artifacts and, optionally, before deployment, as well. This helps you maintain up-to-date information about the components used in your applications at all times. Additionally, you have the flexibility to use your preferred SBOM generation tool.
The SSCA module can also integrate with third-party SBOM generation tools, such as Syft. In the SSCA module, this is referred to as orchestrating with a tool, and it allows you to use your preferred SBOM generation tools or tools standardized and approved by security and governance teams.
SBOM formats
SSCA can generate SBOM in popular standard formats, such as CycloneDX and SPDX.
Because there are multiple SBOM formats and standards, the SSCA module normalizes your SBOM to extract the relevant information, such as component name, version, supplier, and licensing data. This normalization process ensures that your SBOM data is consistent, easy to manage, and can be used for policy enforcement and further analysis.
Attest and store
When an SBOM is generated, the SSCA module generates and signs the attestation, ensuring that the information is accurate and trustworthy. The attestations are then securely stored in your artifact repository, where you can access and analyze them as needed. SBOM are also stored in the Harness Platform so that you can download, analyze, and share them as needed.
Attestations are stored as .att files in the artifact repository, specified in your build or deploy stage, along with the image. You can also find the SBOM on the Execution details page in Harness. For more information, go to View attestations and violations.
While Harness is capable of generating SBOMs for both Container Images and Code Repositories, it is important to note that SBOM attestation is supported only for Container Images.
Generate SBOM in Harness
These instructions describe how to generate SBOM with the Harness SSCA Orchestration step. This step uses Syft. For other SBOM tools, go to Ingest SBOM.
For a step-by-step walkthrough, try this tutorial: Generate SBOM and enforce policies.
Prepare a pipeline
To generate SBOM in Harness, you need a pipeline with a CI (build) stage, a CD (deploy) stage, or both.
Generate a key pair
Keys are used to sign and verify attestations.
- Use Cosign to generate a public and private key pair
- Create two Harness file secrets, one for the private key file and one for the public key file.
- Create a Harness text secret to store the password for the private key.
Add the SSCA Orchestration step
Use the SSCA Orchestration step to generate an SBOM in either the Build or Deploy stage of a Harness pipeline.
- In a Build stage, add the SSCA Orchestration step after the artifact (image) has been pushed to an artifact repository.
- In a Deploy stage, add the SSCA Orchestration step before the deployment step.
SSCA Orchestration and Enforcement steps in deploy stage can only be used in the Containerized Step Groups
The SSCA Orchestration step includes various settings for generating the SBOM for both Containers and Repositories. We will delve into the different fields that need to be configured for each option to support the generation of the SBOM.
- Container
- Repository
-
Name: Enter a name for the step.
-
Step Mode: Select Generation.
-
SBOM Tool: Select Syft, which is the tool Harness uses to generate the SBOM. For other SBOM tools, go to Ingest SBOM.
-
SBOM Format: Select SPDX or CycloneDX.
-
Artifact Type: Select Container.
-
Container Registry: Select the Docker Registry connector that is configured for the Docker-compliant container registry where the artifact is stored, such as Docker Hub, Amazon ECR, or GCR.
-
Image: The repo path (in your container registry) and tag for the image for which you're generating an SBOM, such as
my-docker-repo/my-artifact:latest. -
Private Key: The Harness file secret containing the private key to use to sign the attestation.
-
Password: The Harness text secret containing the password for the private key.
-
SBOM Drift: This feature allows you to track changes in SBOMs, it can detect the changes by comparing the generated SBOM against a specified one. For an in-depth understanding of this functionality, please refer to the SBOM Drift documentation. If you prefer not to detect any changes in SBOMs, leave this option unchecked.
If you're using Docker-compliant ECR or GCR repositories, you must:
- Configure your Docker Registry connector as a valid artifact source.
- For ECR, go to Use Docker Registry for ECR.
- For GCR, go to Use Docker Registry for GCR
- Use the full URI for the Image in your SSCA Orchestration step, such as
1234567890.dkr.ecr.REGION.amazonaws.com/IMAGE_NAME:TAG.
-
Name: Enter a name for the step.
-
Step Mode: Select Generation.
-
SBOM Tool: Select Syft, which is the tool Harness uses to generate the SBOM. For other SBOM tools, go to Ingest SBOM.
-
SBOM Format: Select SPDX or CycloneDX.
-
Artifact Type: Select Repository.
infoSelecting "Repository" requires setting up a process to clone your repository into the workspace. This setup can be achieved through various approaches, such as a Git Clone step, a Run step, or during the stage creation process. It's essential that the SBOM Orchestration operates on the successfully cloned repository.
-
Repository URL: The Repository URL you've configured for cloning into the workspace.
-
Source Path: This field is designated for specifying the path within the codebase for which you aim to generate the SBOM. It enables the generation of an SBOM for particular sections of the code inside the repository. You should start the path with a '/'. For instance, if your repository URL is
https://github.com/username/repoand you intend to generate an SBOM for a specific part of the repository found athttps://github.com/username/repo/service-core/source, then you should input/service-core/sourceas the path. To generate an SBOM for the entire repository, leave this field empty. -
Git Branch: The branch of the repository for which you want to generate the SBOM.
-
Workspace: If the cloned codebase is stored in a directory other than the default
/harness, enter the path in the format/harness/<path>. If you have cloned into the default/harness, this field can be skipped. -
SBOM Drift: This feature allows you to track changes in SBOMs, it can detect the changes by comparing the generated SBOM against a specified one. For an in-depth understanding of this functionality, please refer to the SBOM Drift documentation. If you prefer not to detect any changes in SBOMs, leave this option unchecked.
Run the pipeline
When the pipeline runs, the SSCA Orchestration step performs the following actions:
- Generates an SBOM in the chosen format for both Containers and Repositories.
- Specifically for Containers:
- Generates and signs an attestation using the provided key and password.
- Stores the SBOM in Harness and uploads the
.attfile to your container registry to accompany the image.
The signed attestation for an Image, stored as an .att file, is placed in the artifact repository alongside the Image.
SBOMs for both Containers and Code Repositories are accessible in the Artifacts view. Additionally, you can locate the SBOM for any artifact on the Artifacts tab within the Execution Details page in Harness. For detailed insights, including viewing attestations and identifying violations, please refer to the View Attestations and Violations documentation.
After generating an SBOM, you can use it to enforce SSCA policies.