CLI for the DevRadar service. It hides the by-digest / all-layers / base64 mechanics of getting an SBOM into DevRadar behind two commands:
devradarctl sbom— generate an all-layers CycloneDX SBOM for a container image.devradarctl submit— submit an SBOM (from a file, or generated from an image).
go install github.com/thingzio/devradarctl@latestOr download a release archive from the releases page.
syftonPATH(or pass--syft-path) — used to generate SBOMs. Only required for thesbomcommand andsubmit --image.- Image digest resolution is done in-process (no
craneneeded) and uses your ambient Docker credentials (docker login, credential helpers).
# Print to stdout
devradarctl sbom --image alpine:3.20
# Write to a file
devradarctl sbom --image alpine:3.20 --output alpine.cdx.jsonThe image is pinned to its manifest digest (repo@sha256:…) before syft runs, so
the SBOM carries the digest DevRadar uses to identify the image unambiguously. The
SBOM is generated with all layers in scope by default (see --scope).
submit supports two modes. The API token is read from DEVRADAR_TOKEN, or
piped via stdin.
Option 1 — from an image (recommended). Point devradarctl at an image and
it does everything in one step: resolves the manifest digest, generates an
all-layers CycloneDX SBOM (the preferred form — it captures packages in
every layer, not just the final squashed filesystem), and submits it.
echo "$DEVRADAR_TOKEN" | devradarctl submit --image alpine:3.20 --label team-x --label prodThis requires syft on PATH.
Option 2 — from an existing SBOM file. If your SBOM was already produced by
another process (a CI pipeline, an image-build step, etc.), submit it as-is —
no syft required. For the best inventory, generate that SBOM with all layers
in scope (e.g. syft --scope all-layers). Pass --image-ref so the submission
is pinned to the correct image digest.
DEVRADAR_TOKEN=xxx devradarctl submit --file alpine.cdx.json --image-ref alpine@sha256:…| Flag | Env var | Default | Description |
|---|---|---|---|
--base-url |
DEVRADAR_BASE_URL |
https://devradar.thingz.io |
DevRadar service base URL |
| (token) | DEVRADAR_TOKEN |
— | API token (or piped via stdin) |
--label |
DEVRADAR_LABELS |
— | Grouping label(s); repeatable |
--tag |
— | image's tag | Image version to record (e.g. v1.20.2) |
--image-ref |
— | — | Digest-pinned image reference (file mode) |
--syft-path |
DEVRADAR_SYFT_PATH |
syft |
Path to the syft binary |
--scope |
— | all-layers |
syft cataloging scope |
--debug |
DEVRADAR_DEBUG |
false |
Debug logging (default level is warn) |
--log-json |
DEVRADAR_LOG_JSON |
false |
Emit logs as JSON |
Contributing? See DEVELOPMENT.md for build, test, and release instructions.
MIT — see LICENSE.