Software Bill of Materials (SBOM) acts as an inventory list, documenting all components used in a software project. It provides transparency by listing dependencies, their versions, and associated licenses present it the software or container image. This visibility helps engineers as well as software systems track and manage potential security issues effectively.

Since version 2.11 Harbor supports now automatic generation of SBOMs in combination with its default scanner - Trivy. Addition to that, users can also click the GENERATE SBOM button to manually generate an SBOM of a given artifact.

Automatic Generation of SBOMs during Image Push

To automatically generate an SBOM for images pushed to Harbor, users need to navigate to the Configuration tab of the project where an image was pushed. Then select the checkbox of SBOM generation and click SAVE button afterward.

After the configuration change, newly pushed artifacts docker push ... to this project will automatically trigger the SBOM generation process using the assigned scanner defined in the Scanner section.

In the project artifact page, users can see the SBOM details link as shown in the above image. By clicking on the “SBOM Details” (Inside the yellow rectangle), users will be redirected to the SBOM details page.

A table with package name, its current version, and package license will become visible, including a download link DOWNLOAD SBOM to download the file containing full SBOM details in SPDX format.

Manual SBOM Generation for Container Images With Harbor

In case the automatic SBOM generation is not enabled or desired, Users can selectively generate SBOMs for container images. Navigate to the artifact page and select the images for which the SBOM should be generated. After one or more images are selected, the Button GENERATE SBOM will become available. It is also possible to abort the SBOM generation inside the ACTIONS drop-down menu.

How to delete an SBOM

An SBOM accessory can be deleted individually as shown below by clicking on the three vertical dot icon next to the SBOM accessory you want to delete and then click the Delete option.

After the deletion, the SBOM accessory will be removed from the artifact and hence not visible in the UI anymore.

The final and physical deletion of the SBOM will be performed during the garbage collection process.

An SBOM can also be deleted along with its subject artifact, as shown below.

SBOM Replication

Users can create a pull-based or pushed-based replication rule to replicate a set of artifacts together with their corresponding SBOM from a source Harbor registry to a destination Harbor registry.