stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
6bee1fdcf58fe6c2fd8dae6201f5f71eb504710f
git.stella-ops.org/docs/modules/cli/guides/commands/sbom.md
StellaOps Bot 6bee1fdcf5
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
work
2025-11-25 08:01:23 +02:00

1.1 KiB
Raw Blame History

stella sbom — Command Guide

Commands

  • stella sbom generate --image <ref> [--output sbom.spdx.json] [--offline]
  • stella sbom compose --fragment <path> --output composition.json --offline
  • stella sbom verify --file <sbom> --signature <sig> --key <keyfile>

Flags (common)

  • --offline: no network pulls; use local cache/OCI archive.
  • --format: spdx-json (default) or cyclonedx-json.
  • --attest: emit DSSE attestation alongside SBOM.
  • --hash: include layer/file hashes (deterministic ordering).

Inputs/outputs

  • Inputs: container image, directory, or fragments.
  • Outputs: deterministic SPDX/CycloneDX JSON, optional DSSE + checksums.
  • Exit codes per output-and-exit-codes.md; verification failure uses exit code 3 or 4 depending on cause.

Determinism rules

  • Stable ordering of packages/files; timestamps UTC.
  • Hashes hex-lowercase; no host-specific paths.

Offline/air-gap notes

  • With --offline, image sources must already be cached (tar/OCI archive); command fails with exit code 5 if it would fetch remotely.
  • Verification uses local trust roots; no remote key fetch.