git.stella-ops.org/docs/schemas/predicates/sbom.v1.schema.json

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stella.ops/predicates/sbom@v1",
  "title": "StellaOps SBOM Attestation Predicate",
  "description": "Predicate for SBOM attestations linking software bill of materials to artifacts.",
  "type": "object",
  "required": ["format", "digest", "componentCount"],
  "properties": {
    "format": {
      "type": "string",
      "enum": ["cyclonedx-1.6", "spdx-3.0.1", "spdx-2.3"],
      "description": "SBOM format specification."
    },
    "digest": {
      "type": "string",
      "pattern": "^sha256:[a-f0-9]{64}$",
      "description": "Content-addressed digest of the SBOM document."
    },
    "componentCount": {
      "type": "integer",
      "minimum": 0,
      "description": "Number of components in the SBOM."
    },
    "uri": {
      "type": "string",
      "format": "uri",
      "description": "URI where the full SBOM can be retrieved."
    },
    "tooling": {
      "type": "string",
      "description": "Tool used to generate the SBOM."
    },
    "createdAt": {
      "type": "string",
      "format": "date-time",
      "description": "When the SBOM was generated."
    }
  },
  "additionalProperties": false
}