Generate & upload SBOMs

Generate with Observer CLI

Observer CLI auto-detects your project type and generates standardized CycloneDX SBOMs.

From source code:

observer fs -m sbom.cdx.json .

Scans the current directory and auto-detects:

• Node.js (npm, yarn, pnpm)
• Python (pip, poetry)
• Java (Maven, Gradle)
• Go, Rust, .NET, and more

From a container image:

observer image -o sbom.cdx.json myapp:latest

Scan images from Docker or pre-built images.

From a Kubernetes cluster:

observer k8s --sbom --upload

Creates a snapshot of your cluster and generates SBOMs for all running workloads. Requires kubectl access to your cluster.

See Observer CLI for more commands and options.

Generate with Third-Party Tools

You can generate SBOMs with any SCA tool that outputs CycloneDX or SPDX format:

• Trivy - Container and filesystem scanning
• Syft - Comprehensive multi-format SBOM generation
• CycloneDX cdxgen - Creates SBOMs from build tools (npm, Maven, Gradle, etc.)
• SPDX Tools - SPDX format generation and validation

Example with Syft:

syft . -o cyclonedx-json > sbom.cdx.json

Example with Trivy:

trivy fs --format cyclonedx . > sbom.cdx.json

Ensure your output is in CycloneDX JSON or SPDX JSON format before uploading to SBOM Observer.

Via Web Interface

1. Log in to SBOM Observer
2. Navigate to Attestations
3. Click Upload Attestation
4. Select your CycloneDX or SPDX JSON file and confirm the upload.

Your SBOM is now in SBOM Observer. It will be analyzed against all active policies and checked for vulnerabilities.

Via Observer CLI

First, get your API token:

1. Log in to SBOM Observer
2. Go to User Profile → Access Tokens
3. Create a token and copy it. You will not be able to see it again.

Then upload from the command line:

export OBSERVER_TOKEN=your-api-token
observer upload sbom.cdx.json --project my-app --environment production