sl sbom export
The sbom export command lets you export a Software Bill of Materials (SBOM) for an application scan. The SBOM lists the components (and their dependencies) discovered during analysis, and can be produced in several industry-standard formats — CycloneDX, SPDX, and VEX.
Usage
To run: sl sbom export [command options]
The command fetches the SBOM for the named application from Qwiet AI by Harness and writes it to a local file. If you don't specify a scan, the latest scan for the application is used.
Command options
For easy reuse in future analyses, you can store some command-related information as environment variables (we've provided the specific environment variable below). Note that the values for options set via environment variables override those set in a configuration file (which, in turn, are overridden by those specified via command-line flags).
| Option | Environment variable | Description |
|---|---|---|
--app <name> or -a <name> | SHIFTLEFT_APP=<name> | The name of the application the analysis is for (required) |
--output <path> | Path to store the exported SBOM file. If omitted, defaults to sbom plus the extension matching the chosen format (e.g. sbom.xml) | |
--scan <ID> | The scan ID to use for fetching the SBOM. If not provided, defaults to the latest scan | |
--format <format> | Output format for the SBOM (default: cyclonedx-1.4-xml). See Supported formats below | |
--timeout <duration> | Timeout (e.g. 60s) to wait for the command to finish (default: 1m) |
Supported formats
Pass one of the following values to --format. The short aliases (cyclonedx, spdx, vex) map to the default version of each standard, as noted below.
| Standard | Accepted values | File extension |
|---|---|---|
| CycloneDX | cyclonedx (→ cyclonedx-1.4-xml), cyclonedx-1.4-xml, cyclonedx-1.4-json, cyclonedx-1.2-xml, cyclonedx-1.2-json | .xml / .json |
| SPDX | spdx (→ spdx-2.3-tag-value), spdx-2.3-tag-value, spdx-2.3-json, spdx-2.3-yaml, spdx-2.2-tag-value, spdx-2.2-json, spdx-2.2-yaml, spdx-2.1-tag-value, spdx-2.1-json, spdx-2.1-yaml | .spdx / .json / .yaml |
| VEX | vex (→ vex-0.2.0-json), vex-0.2.0-json | .json |
The output file extension is chosen automatically to match the format. If you supply --output without an extension, the correct one is appended for you. If you supply an extension that doesn't match the selected format, the CLI honors your filename but prints a warning.
Examples
Export the latest scan as CycloneDX (default):
sl sbom export --app myApplication
# writes sbom.xml
Export a specific scan as CycloneDX 1.4 JSON to a named file:
sl sbom export --app myApplication --scan 1234 --format cyclonedx-1.4-json --output myapp-sbom.json
Export an SPDX 2.3 JSON SBOM:
sl sbom export --app myApplication --format spdx-2.3-json
# writes sbom.json
Export a VEX document:
sl sbom export --app myApplication --format vex
# writes sbom.json