Generate and manage SBOM
A Software Bill of Materials (SBOM) is essential for understanding the components and dependencies within an application, which in turn enables organizations to manage open-source component risks effectively.
The Harness SSCA module provides comprehensive capabilities for generating, managing, and analyzing SBOM for software artifacts.
Integration with other Harness modules and third-party tools
The SSCA module integrates with the CI and CD stages of Harness pipelines, ensuring that an SBOM is generated for every build of your software artifacts and, optionally, before deployment, as well. This helps you maintain up-to-date information about the components used in your applications at all times. Additionally, you have the flexibility to use your preferred SBOM generation tool.
The SSCA module can also integrate with third-party SBOM generation tools, such as Syft. In the SSCA module, this is referred to as orchestrating with a tool, and it allows you to use your preferred SBOM generation tools or tools standardized and approved by security and governance teams.
SBOM formats
SSCA can generate SBOM in popular standard formats, such as CycloneDX and SPDX.
Because there are multiple SBOM formats and standards, the SSCA module normalizes your SBOM to extract the relevant information, such as component name, version, supplier, and licensing data. This normalization process ensures that your SBOM data is consistent, easy to manage, and can be used for policy enforcement and further analysis.
Attest and store
When an SBOM is generated, the SSCA module generates and signs the attestation, ensuring that the information is accurate and trustworthy. The attestations are then securely stored in your artifact repository, where you can access and analyze them as needed. SBOM are also stored in the Harness Platform so that you can download, analyze, and share them as needed.
Attestations are stored as .att
files in the artifact repository, specified in your build or deploy stage, along with the image. You can also find the SBOM on the Execution details page in Harness. For more information, go to View attestations and violations.
Generate SBOM in Harness
These instructions describe how to generate SBOM with the Harness SSCA Orchestration step. This step uses Syft. For other SBOM tools, go to Ingest SBOM.
For a step-by-step walkthrough, try this tutorial: Generate SBOM and enforce policies.
Prepare a pipeline
To generate SBOM in Harness, you need a pipeline with a CI (build) stage, a CD (deploy) stage, or both.
Generate a key pair
Keys are used to sign and verify attestations.
- Use Cosign to generate a public and private key pair
- Create two Harness file secrets, one for the private key file and one for the public key file.
- Create a Harness text secret to store the password for the private key.
Add the SSCA Orchestration step
Use the SSCA Orchestration step to generate an SBOM in either the Build or Deploy stage of a Harness pipeline.
- In a Build stage, add the SSCA Orchestration step after the artifact (image) has been pushed to an artifact repository.
- In a Deploy stage, add the SSCA Orchestration step before the deployment step.
SSCA Orchestration and Enforcement steps in deploy stage can only be used in the container step group
The SSCA Orchestration step has the following settings:
- Name: Enter a name for the step.
- Step Mode: Select Generation.
- SBOM Tool: Select Syft, which is the tool Harness uses to generate the SBOM. For other SBOM tools, go to Ingest SBOM.
- SBOM Format: Select SPDX or CycloneDX.
- Artifact Type: Select Image.
- Container Registry: Select the Docker Registry connector that is configured for the Docker-compliant container registry where the artifact is stored, such as Docker Hub, Amazon ECR, or GCR.
- Image: The repo path (in your container registry) and tag for the image for which you're generating an SBOM, such as
my-docker-repo/my-artifact:latest
. - Private Key: The Harness file secret containing the private key to use to sign the attestation.
- Password: The Harness text secret containing the password for the private key.

If you're using Docker-compliant ECR or GCR repositories, you must:
- Configure your Docker Registry connector as a valid artifact source.
- For ECR, go to Use Docker Registry for ECR.
- For GCR, go to Use Docker Registry for GCR
- Use the full URI for the Image in your SSCA Orchestration step, such as
1234567890.dkr.ecr.REGION.amazonaws.com/IMAGE_NAME:TAG
.
Run the pipeline
When the pipeline runs, the SSCA Orchestration step does the following:
- Generates an SBOM in the specified format.
- Generates and signs an attestation using the provided key and password.
- Stores the SBOM in Harness and uploads the
.att
file to your container registry alongside the image.
The signed attestation is stored, as an .att
file, in the artifact repository along with the image. You can also find the SBOM on the Artifacts tab on the Execution details page in Harness. For more information, go to View attestations and violations.
After generating an SBOM, you can use it to enforce SSCA policies.