150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
1.6 KiB
1.6 KiB
stella sbomer (DOCS-CLI-DET-01)
Offline-first usage of stella sbomer verbs with deterministic outputs.
Prerequisites
- Install CLI from offline bundle; ensure
local-nugets/is available. - Export images/charts locally; no network access required during commands.
Commands
stella sbomer layer <image>- Emits deterministic SBOM per layer; options:
--format cyclonedx|spdx,--output <path>,--deterministic(default true).
- Emits deterministic SBOM per layer; options:
stella sbomer compose <manifest>- Merges layer SBOMs with stable ordering; rejects missing hashes.
stella sbomer drift <baseline> <current>- Computes drift; returns machine-readable diff with stable ordering.
stella sbomer verify <sbom> --hash <sha256>- Validates hash/signature if provided; offline only.
Determinism rules
- Use fixed sort keys (component name, version, purl) when composing.
- All timestamps forced to
1970-01-01T00:00:00Zunless--timestampsupplied. - GUID/UUID generation disabled; use content hashes as IDs.
- Outputs written in UTF-8 with LF line endings; no BOM.
Examples
# generate layer SBOM
stella sbomer layer ghcr.io/acme/app:1.2.3 --format cyclonedx --output app.cdx.json
# compose
stella sbomer compose app.cdx.json lib.cdx.json --output combined.cdx.json
# drift
stella sbomer drift baseline.cdx.json combined.cdx.json --output drift.json
Offline tips
- Preload registries; set
STELLA_SBOMER_OFFLINE=trueto prevent remote pulls. - Configure cache dir via
STELLA_CACHE_DIRfor reproducible paths. - For air-gapped logs, use
--log-format jsonand capture to file for later analysis.