Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) is a contextualized inventory of a software or an application which lists components, libraries, and versions of all open source packages and third-party components used to build it. Insight into the component version enables you to ensure the component is updated to the latest version while parallelly listing vulnerabilities. Using the SBOM, you can also identify the software supply chain in your organization and the cascading risk effect on your infrastructure if the vulnerability is not addressed timely. Open source licensing is an additional insight SBOM generates to ensure you are legally compliant during the version updates as vulnerability remediation.
Prisma Cloud scans your integrated repositories for open source packages through the package manager files found in the repository and IaC resources to generate an SBOM report. You can choose to generate the SBOM report either through a CI/CD pipeline or the console. In addition, you can also choose the SBOM generation format to be either a CSV or a CycloneDX.

Types of SBOM Reports

Prisma Cloud currently supports the export of SBOM reports in two standardized formats, CSV and CyclondeDX.
  • CSV
    CSV is a comma-separated format that displays a line per vulnerability or misconfiguration. This format includes a line per resource or a package without vulnerabilities with categories across open source packages, container images, IaC components, and cloud infrastructure components.
  • CycloneDX output follows the scheme outlined for XML version 1.4.
    CycloneDX format displays all application components including vulnerabilities and misconfigurations as a scheme outlined for CycloneDX XML version 1.4.

Generate SBOM as a CSV

Generating an SBOM in a CSV format from the CI/CD pipeline will generate three files:
  • YYYYMMDD-HHMMSS_iac.csv
  • YYYYMMDD-HHMMSS_container_images.csv
  • YYYYMMDD-HHMMSS_oss_packages
Here YYYYMMDD-HHMMSS is the timestamp of the CSV generation.

Generate SBOM as a CycloneDX

Generating an SBOM in a CycloneDX format will generate a single file with following sections:
  • Metadata
  • Components
  • Dependencies
  • Vulnerabilities

Generate SBOM on Prisma Cloud console

You can generate an SBOM report on the Prisma Cloud console in two ways.
  1. Select a repository to generate a report.
  2. Select
    Output
    .
    You can choose between CSV or CycloneDX.
  3. Select
    Materials
    .
    You can choose the type of resources to include in the SBOM.
    • All
      : This generates three different files for each resource type. If there are no resource types available then a blank file is generated.
    • Open-source packages
      : This includes the scan results from scans of open source dependencies.
    • Infrastructure as Code
      : This includes scan results from IaC repositories.
    • Images
      : This includes packages in images built or referenced in the repository.
  4. Select
    Download
    .

Generate an SBOM from CI/CD Pipeline

Generate an SBOM report from your CI/CD pipeline by adding a CLI command.
  1. Access your terminal.
  2. Access the checkov command line in a specific directory or file. For example, checkov -d . --bc-api-key PRISMA_ACCESS_KEY::PRISMA_SECRET_KEY
  3. Add the format output syntax to the checkov line. For example, add -o cyclonedx to generate a CycloneDX SBOM and add -o csv to generate a CSV SBOM.
    In this example, you can see the command line to generate a CycloneDX SBOM.

Recommended For You