website/content/docs/provisioners/hcp-sbom.mdx
⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️
<BadgesHeader> <PluginBadge type="official"/> </BadgesHeader>[!IMPORTANT]
Documentation Update: Product documentation previously located in/websitehas moved to thehashicorp/web-unified-docsrepository, where all product documentation is now centralized. Please make contributions directly toweb-unified-docs, since changes to/websitein this repository will not appear on developer.hashicorp.com. ⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️
hcp-sbom provisionerThe hcp-sbom provisioner uploads software bill of materials (SBOM) files from artifacts built by Packer to HCP Packer. You must format SBOM files you want to upload as JSON and follow either the SPDX or CycloneDX specification. HCP Packer ties these SBOM files to the version of the artifact that Packer builds.
~> Deprecated Configuration Options: The scanner_url and scanner_checksum configuration options are deprecated as of Packer v1.15.3 and will be removed in a future major version. The provisioner now uses a Packer binary with the embedded Syft SDK for the remote OS/arch for automatic SBOM generation; it downloads that binary from releases.hashicorp.com and uploads it to the target. For custom SBOM generation tools, use manual generation with the source field instead of auto_generate.
The following example uploads an SBOM from the local /tmp directory and stores a copy at ./sbom/sbom_cyclonedx.json on the local machine.
provisioner "hcp-sbom" {
source = "/tmp/sbom_cyclonedx.json"
destination = "./sbom/sbom_cyclonedx.json"
sbom_name = "sbom-cyclonedx"
}
{
"type": "hcp-sbom",
"source": "/tmp/sbom_cyclonedx.json",
"destination": "./sbom/sbom_cyclonedx.json",
"sbom_name": "sbom-cyclonedx"
}
Prior to v1.15.4, the hcp-sbom provisioner supported downloading custom scanner binaries via scanner_url. This is no longer supported as the provisioner now uses the Packer binary with embedded Syft SDK.
You can specify the following configuration options.
Required parameters:
@include 'provisioner/hcp-sbom/Config-required.mdx'
Optional parameters:
@include '/provisioner/hcp-sbom/Config-not-required.mdx'
packer {
required_plugins {
docker = {
version = ">= 1.0.0"
source = "github.com/hashicorp/docker"
}
}
}
source "docker" "ubuntu" {
image = "ubuntu:20.04"
commit = true
}
build {
sources = ["source.docker.ubuntu"]
hcp_packer_registry {
bucket_name = "test-bucket"
}
provisioner "shell" {
inline = [
"apt-get update -y",
"apt-get install -y curl gpg",
"bash -c \"$(curl -sSL https://install.mondoo.com/sh)\"",
"cnquery sbom --output cyclonedx-json --output-target /tmp/sbom_cyclonedx.json",
]
}
provisioner "hcp-sbom" {
source = "/tmp/sbom_cyclonedx.json"
destination = "./sbom"
sbom_name = "sbom-cyclonedx"
}
}
{
"builders": [
{
"type": "docker",
"image": "ubuntu:20.04",
"commit": true
}
],
"provisioners": [
{
"type": "shell",
"inline": [
"apt-get update -y",
"apt-get install -y curl",
"bash -c \"$(curl -sSL https://install.mondoo.com/sh)\"",
"cnquery sbom --output cyclonedx-json --output-target /tmp/sbom_cyclonedx.json"
]
},
{
"type": "hcp-sbom",
"source": "/tmp/sbom_cyclonedx.json",
"destination": "./sbom",
"sbom_name": "sbom-cyclonedx"
}
]
}