Skip to content
/ nix2sbom Public

nix2sbom extracts the CycloneDX and SPDX SBOM (Software Bill of Materials) from a Nix derivation

License

Notifications You must be signed in to change notification settings

louib/nix2sbom

Repository files navigation

nix2sbom

GitHub Release FlakeHub GitHub Build Status Dependency Status License File

nix2sbom extracts the SBOM (Software Bill of Materials) from a Nix derivation

📚 Documentation is here

Features

  • Supports CycloneDX 1.4 format
  • Supports SPDX 2.3 format (Experimental)
  • Supports JSON and YAML serialization formats
  • Generates a SBOM for your current NixOS system
  • Detects and handles patches
  • Discovers git URLs (using archive URLs)

Using

In GitHub Actions

Here is an example of how to generate an SPDX manifest for your nix flake in a GHA workflow:

  generate-sbom-manifests:
    name: Generate SPDX SBOM manifest
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Nix
      - uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14

      - name: Install nix2sbom
        uses: EricCrosson/install-github-release-binary@681cc3de7c5c5ac935b1a2a19e4e0c577c4d3027 # v2.3.4
        with:
          targets: louib/nix2sbom/nix2sbom@v2.4.5

      - name: Generate the SPDX manifest
        run: |
          nix2sbom .# -f spdx > sbom.spdx.json

Installing

With Nix

Assuming that you have enabled both the flakes and nix-command experimental features:

nix profile install github:louib/nix2sbom

With Cargo

cargo install --path .