HCP SBOM Provisioner
Type: hcp-sbom
The hcp-sbom
provisioner uploads software bill of materials (SBOM) files from artifacts built by Packer to HCP Packer. You must format SBOM files you want to upload as JSON and follow either the SPDX or CycloneDX specification. HCP Packer ties these SBOM files to the version of the artifact that Packer builds.
Example
The following example uploads an SBOM from the local /tmp
directory and stores a copy at ./sbom/sbom_cyclonedx.json
on the local machine.
provisioner "hcp-sbom" { source = "/tmp/sbom_cyclonedx.json" destination = "./sbom/sbom_cyclonedx.json" sbom_name = "sbom-cyclonedx"}
Configuration reference
You can specify the following configuration options.
Required parameters:
source
(string) - The file path or URL to the SBOM file in the Packer artifact. This file must either be in the SPDX or CycloneDX format.
Optional parameters:
destination
(string) - The path on the local machine to store a copy of the SBOM file. You can specify an absolute or a path relative to the working directory when you execute the Packer build. If the file already exists on the local machine, Packer overwrites the file. If the destination is a directory, the directory must already exist.sbom_name
(string) - The name of the SBOM file stored in HCP Packer. If omitted, HCP Packer uses the build fingerprint as the file name. This value must be between three and 36 characters from the following set:[A-Za-z0-9_-]
. You must specify a unique name for each build in an artifact version.
Example usage
packer { required_plugins { docker = { version = ">= 1.0.0" source = "github.com/hashicorp/docker" } }}source "docker" "ubuntu" { image = "ubuntu:20.04" commit = true}build { sources = ["source.docker.ubuntu"] hcp_packer_registry { bucket_name = "test-bucket" } provisioner "shell" { inline = [ "apt-get update -y", "apt-get install -y curl gpg", "bash -c \"$(curl -sSL https://install.mondoo.com/sh)\"", "cnquery sbom --output cyclonedx-json --output-target /tmp/sbom_cyclonedx.json", ] } provisioner "hcp-sbom" { source = "/tmp/sbom_cyclonedx.json" destination = "./sbom" sbom_name = "sbom-cyclonedx" }}