SBOM Observer Docs logoSBOM Observer Docs

Using the Observer CLI

Learn how to install and use the Observer CLI for generating, analyzing and uploading SBOMs.

Observer CLI is a free, open-source tool that generates SBOMs from your code, containers, and clusters. It auto-detects programming languages, produces standardized CycloneDX output, and integrates with CI/CD pipelines to enforce security policies. For a deeper look at how the CLI handles software composition analysis (SCA) across different targets, see Software Composition Analysis.

Key Capabilities

Generate SBOMs

From source code, container images, Kubernetes clusters, or build processes

Analyze SBOMs

For vulnerabilities and policy violations

Upload SBOMs

To SBOM Observer for continuous monitoring and compliance tracking

Break Builds

In CI/CD when security policies are violated

Quick Start

Install

Download the latest release for your platform:

Download Observer CLI

Available for Linux, macOS, and Windows

Generate Your First SBOM

From source code:

observer fs -o my-sbom.cdx.json .

From a container image:

observer image -o nginx.cdx.json nginx:latest

Analyze

You can run analysis without a token for quick visibility into the vulnerabilities and policy violations that the CLI discovers. This produces the list of findings and summary you see below.

observer analyze my-sbom.cdx.json

With an access token and a workspace in SBOM Observer, you can enforce policies to block builds when violations occur. See How to enforce policies to learn how to set up policy-driven gates in CI/CD pipelines.

Verify (optional)

After analysis completes, review the CLI output to ensure vulnerabilities and policy violations match your expectations. The exit code will be non-zero when policy violations are present, making it easy to gate builds, and the summary table highlights counts by severity.

observer verify my-sbom.cdx.json

This command validates the CycloneDX structure (and optionally compares artifacts) so you know the generated SBOM is well-formed before you upload it to SBOM Observer.

Upload

Uploading SBOMs requires an access token so SBOM Observer can associate results with your workspace.

export OBSERVER_TOKEN=your-api-token
observer upload my-sbom.cdx.json

Example Output

Here's what the analysis output looks like:

Terminal Output
observer analyze example-nextjs.cdx.json
Analyzed example-nextjs.cdx.json

 -- Vulnerabilities --
┌────────────────┬─────────┬────────────────┬──────────┬────────┬──────────────────┬────────────────────────────────────────────────┐
│      Name      │ Version │  Identifier    │ Severity │  EPSS  │ Patched Versions │                     Title                      │
├────────────────┼─────────┼────────────────┼──────────┼────────┼──────────────────┼────────────────────────────────────────────────┤
│ next           │ 13.5.3  │ CVE-2025-29927 │ CRITICAL │ 92.08%>=13.5.7         │ Authorization Bypass in Next.js Middleware     │
├────────────────┼─────────┼────────────────┼──────────┼────────┼──────────────────┼────────────────────────────────────────────────┤
│ braces         │ 3.0.2   │ CVE-2024-4068  │ HIGH     │ 0.22%>=3.0.3          │ Fails to limit number of characters            │
├────────────────┼─────────┼────────────────┼──────────┼────────┼──────────────────┼────────────────────────────────────────────────┤
@babel/runtime │ 7.21.5  │ CVE-2025-27789 │ MEDIUM   │ 0.07%>=7.24.4         │ Inefficient RegExp complexity                  │
├────────────────┼─────────┼────────────────┼──────────┼────────┼──────────────────┼────────────────────────────────────────────────┤
│ cookie         │ 0.5.0   │ CVE-2024-47764 │ LOW      │ 0.07%>=0.7.0          │ Accepts name with out of bounds characters     │
└────────────────┴─────────┴────────────────┴──────────┴────────┴──────────────────┴────────────────────────────────────────────────┘

 -- Policy Violations --
┌──────────┬──────────────────┬────────────────────────────────┬────────────────────────────────────────┬──────────┐
│   Name   │     Version      │             Policy             │                Message                 │ Severity │
├──────────┼──────────────────┼────────────────────────────────┼────────────────────────────────────────┼──────────┤
│ frontend │ 85448d7aa1f38ad3 │ NTIA Minimum Elements for SBOM │ metadata.supplier is missing           │ MEDIUM   │
└──────────┴──────────────────┴────────────────────────────────┴────────────────────────────────────────┴──────────┘

 -- Summary --
┌───────────────────┬──────────┬──────┬────────┬─────┬───────┐
│                   │ CRITICAL │ HIGH │ MEDIUM │ LOW │ Total │
├───────────────────┼──────────┼──────┼────────┼─────┼───────┤
│ Vulnerabilities   │ 11114
├───────────────────┼──────────┼──────┼────────┼─────┼───────┤
│ Policy Violations │ 00101
└───────────────────┴──────────┴──────┴────────┴─────┴───────┘

If you're just interested in a summary, you can use the --summary flag to get a concise overview:

observer analyze summary

Next Steps

Impact Analysis

Trace which applications and components are affected by a vulnerability using the live demo.

CI/CD Integration

Integrate Observer CLI into your CI/CD pipeline to automate SBOM generation, verification, and policy enforcement.

On this page

Key Capabilities
Quick Start
Install
Generate Your First SBOM
Analyze
Verify (optional)
Upload
Example Output
Next Steps