How to fetch SBOMs for Sourcegraph

Sourcegraph publishes a Software Bill of Materials (SBOM) for each of its container images. The SBOMs for each Sourcegraph release are signed, and stored in our container registry alongside our published container images.

To retrieve the SBOMs for a specific release, you can use the src command line interface for Sourcegraph:

1. Install src by following the Quickstart.
2. Install cosign by following the Installation Guide.
3. Identify the version of Sourcegraph your require SBOMs for. This may be a recent release, or your instance's current version.
   1. SBOMs are only available for Sourcegraph release 5.9.0 and later.
   2. Find your instance's current version by checking your deployment, or by visiting the Settings page on your Sourcegraph instance and checking the version shown in the bottom left corner.
4. Run src sbom fetch -v <version> to fetch SBOMs for all containers in this release. src will automatically validate that all SBOMs were signed by Sourcegraph.

   SHELL
   # Fetch SBOMs for Sourcegraph release 5.9.0
   $ src sbom fetch -v 5.9.0
   
   Fetching SBOMs and validating signatures for all 39 images in the Sourcegraph 5.9.0 release...
   
   ✅ sourcegraph/appliance
   ✅ sourcegraph/batcheshelper
   ✅ sourcegraph/bundled-executor
   
   [...]
   
   🟢 Fetched verified SBOMs for 39 images
   
   Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.9.0`.
   
   Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used.

5. Once completed, you can find the set of validated SBOMs under sourcegraph-sboms/sourcegraph-<version>/.

Note: src sbom fetch will retrieve SBOMs for all containers that make up a Sourcegraph release. Your Sourcegraph instance will use only a subset of these containers - please check your deployment to determine which SBOM files are relevant to your deployment.