Build-time SBOMs

Build-time SBOMs capture not only your application dependencies but also the compilers, linkers, and system packages used to produce the artifact. SBOM Observer does this by tracing the build process with eBPF and turning the observations into a CycloneDX SBOM.

Prerequisites

• Linux host with eBPF support (apt- or rpm-based systems are currently supported)
• observer CLI installed and authenticated
• Root privileges to run the tracer (use sudo and drop privileges back with -u)

Observe a build and generate an SBOM

sudo observer build -u cicd -- make

sudo observer build -u cicd -b nginx.cdx.json -- make

# Step 1: observe
sudo observer build -u cicd -- make

# Step 2: generate SBOM from observations
observer fs -o ./sboms nginx.cdx.json .

Key flags

• -o, --output <file> — Output file for build observations (default build-observations.json)
• -b, --sbom <file> — Optional CycloneDX SBOM output generated from observations
• -u, --user <name> — Drop privileges before executing the build (required when tracing as root)
• -c, --config <observer.yaml> — Metadata overrides used when generating SBOMs
• -e, --exclude <pattern> — Exclude files or globs from the observation results

Behind the scenes, Observer records file activity with build-observer (eBPF) and then feeds those observations through the same osv-scalibr/Trivy pipeline used by observer fs, so language-aware dependency resolution stays consistent across build-time and repository scans.

Use cases

• Compiled artifacts (nginx, Apache, PostgreSQL, MySQL)
• CGO/FFI projects (Go or Python applications using C/C++)
• Native modules (Node.js node-gyp/C++ extensions)
• Toolchain assurance (tracking compilers, linkers, and system packages used to build)