How to fetch SBOMs for Sourcegraph

Sourcegraph generates and cryptographically signs a Software Bill of Materials (SBOM) for each container image in every release. These SBOMs are stored in our container registry alongside their corresponding images.

Use the Sourcegraph CLI (src) to fetch SBOMs for a specific release.

Prerequisites

  1. Install src following the Quickstart.

  2. Install cosign following the Installation Guide.

Fetching SBOMs

  1. Determine the Sourcegraph version to verify. Use either a recent release or your instance's current version.

    Note: SBOMs are only available only for Sourcegraph release 5.9.0 and later.

    To find your instance's current version, check your deployment or view the Settings page on your Sourcegraph instance (version shown in bottom left corner).

    Version location in settings

  2. Run src sbom fetch -v <version> to fetch SBOMs for all containers in this release. src will automatically validate that all SBOMs were signed by Sourcegraph.

    SHELL
    # Fetch SBOMs for Sourcegraph release 5.9.0 $ src sbom fetch -v 5.9.0 Fetching SBOMs and validating signatures for all 39 images in the Sourcegraph 5.9.0 release... ✅ sourcegraph/appliance ✅ sourcegraph/batcheshelper ✅ sourcegraph/bundled-executor [...] 🟢 Fetched verified SBOMs for 39 images Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.9.0`. Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used.
  3. Once completed, find the set of validated SBOMs under sourcegraph-sboms/sourcegraph-<version>/.

Important: src sbom fetch will retrieve SBOMs for all containers that make up a Sourcegraph release. Your Sourcegraph instance will use only a subset of these containers - please check your deployment to determine which SBOM files are relevant to your deployment.