CI/CD Integration

Integrate Observer CLI into your CI/CD pipeline to automate SBOM generation, verification, and policy enforcement.

Integrate Observer CLI into your CI/CD pipeline to automatically generate SBOMs, analyze them for vulnerabilities and policy violations, and break builds when security standards aren't met.

GitHub Actions

GitLab CI

Azure Pipelines

Jenkins

CircleCI

Overview

The typical workflow is:

Generate SBOM - Observer CLI scans your code, container, or cluster
Analyze locally - Run policy checks before uploading
Break on violations - Exit with non-zero status if policies fail
Verify - Optionally ensure the SBOM is valid and matches artifacts
Upload for monitoring - Send SBOM to SBOM Observer for continuous tracking

Observer CLI runs in virtually all CI/CD environments. The example above is GitHub-focused; for GitLab CI, Azure Pipelines, Jenkins, CircleCI, and others, follow the same steps (generate → analyze → verify → upload) with your platform's syntax. Reach out if you need assistance.

Setup

Get Your API Token

Generate an access token from SBOM Observer to authenticate CLI uploads:

Log in to SBOM Observer
Navigate to Settings → Access Tokens
Click Create Token and give it a descriptive name
Copy the token and store it securely in your CI/CD secrets

Store the token as a secret in your CI/CD platform (e.g., OBSERVER_TOKEN) - never commit it to version control.

Install Observer CLI

Download the Observer CLI for your platform from the releases page. Available for Linux, macOS, and Windows.

See Observer CLI for detailed instructions.

Configure your pipeline steps

Add the CLI steps to generate, analyze, verify, and upload SBOMs:

Generate SBOM (observer fs -o sbom.cdx.json .)
Analyze against policies (observer analyze sbom.cdx.json)
Verify structure and (optionally) artifacts (observer verify sbom.cdx.json --artifacts ./dist)
Upload on success (observer upload sbom.cdx.json)

For more enforcement patterns, see Enforce policies in CI/CD.

Integration Guide

GitHub Actions

Add Observer CLI to your GitHub Actions workflow:

.github/workflows/sbom-observer.yml

name: SBOM Observer

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Download Observer CLI
        run: |
          curl -fsSL https://github.com/sbom-observer/observer-cli/releases/download/v0.1.0/observer-linux-x64 -o observer
          chmod +x observer

      - name: Generate SBOM
        run: ./observer fs -o sbom.cdx.json .

      - name: Verify SBOM
        run: ./observer verify sbom.cdx.json

      - name: Analyze SBOM against policies
        env:
          OBSERVER_TOKEN: ${{ secrets.OBSERVER_TOKEN }}
        run: ./observer analyze sbom.cdx.json

      - name: Upload SBOM to Observer
        if: success()
        env:
          OBSERVER_TOKEN: ${{ secrets.OBSERVER_TOKEN }}
        run: ./observer upload sbom.cdx.json

Key features:

Runs on push and PR to catch issues early
Exits with error if policy violations detected (breaks build)
Uploads only on success to avoid uploading failed SBOMs
Secrets management via ${{ secrets.OBSERVER_TOKEN }}

Next Steps

Write policies to enforce your security standards
Enforce policies in CI/CD with detailed setup guidance
CLI Reference for complete command documentation
Supported Formats for compatible SBOM formats

On this page