Skip to main content

sl sbom export

The sbom export command lets you export a Software Bill of Materials (SBOM) for an application scan. The SBOM lists the components (and their dependencies) discovered during analysis, and can be produced in several industry-standard formats — CycloneDX, SPDX, and VEX.

Usage

To run: sl sbom export [command options]

The command fetches the SBOM for the named application from Qwiet AI by Harness and writes it to a local file. If you don't specify a scan, the latest scan for the application is used.

Command options

For easy reuse in future analyses, you can store some command-related information as environment variables (we've provided the specific environment variable below). Note that the values for options set via environment variables override those set in a configuration file (which, in turn, are overridden by those specified via command-line flags).

OptionEnvironment variableDescription
--app <name> or -a <name>SHIFTLEFT_APP=<name>The name of the application the analysis is for (required)
--output <path>Path to store the exported SBOM file. If omitted, defaults to sbom plus the extension matching the chosen format (e.g. sbom.xml)
--scan <ID>The scan ID to use for fetching the SBOM. If not provided, defaults to the latest scan
--format <format>Output format for the SBOM (default: cyclonedx-1.4-xml). See Supported formats below
--timeout <duration>Timeout (e.g. 60s) to wait for the command to finish (default: 1m)

Supported formats

Pass one of the following values to --format. The short aliases (cyclonedx, spdx, vex) map to the default version of each standard, as noted below.

StandardAccepted valuesFile extension
CycloneDXcyclonedx (→ cyclonedx-1.4-xml), cyclonedx-1.4-xml, cyclonedx-1.4-json, cyclonedx-1.2-xml, cyclonedx-1.2-json.xml / .json
SPDXspdx (→ spdx-2.3-tag-value), spdx-2.3-tag-value, spdx-2.3-json, spdx-2.3-yaml, spdx-2.2-tag-value, spdx-2.2-json, spdx-2.2-yaml, spdx-2.1-tag-value, spdx-2.1-json, spdx-2.1-yaml.spdx / .json / .yaml
VEXvex (→ vex-0.2.0-json), vex-0.2.0-json.json

The output file extension is chosen automatically to match the format. If you supply --output without an extension, the correct one is appended for you. If you supply an extension that doesn't match the selected format, the CLI honors your filename but prints a warning.

Examples

Export the latest scan as CycloneDX (default):

sl sbom export --app myApplication
# writes sbom.xml

Export a specific scan as CycloneDX 1.4 JSON to a named file:

sl sbom export --app myApplication --scan 1234 --format cyclonedx-1.4-json --output myapp-sbom.json

Export an SPDX 2.3 JSON SBOM:

sl sbom export --app myApplication --format spdx-2.3-json
# writes sbom.json

Export a VEX document:

sl sbom export --app myApplication --format vex
# writes sbom.json