Introduction
Architecture
Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryStore an object on Amazon S3Retrieve an object from Amazon S3
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Argo WorkflowsCopy a remote image with CraneDeploy a binary with EC2Deploy to ECSRender an ECS task definitionBuild a container image with KanikoDeploy with OctopusDeploy with SpinnakerRun Ansible PlaybookDeploy with HerokuDeploy with AWS CodeDeployDeploy with AWS Elastic BeanstalkDeploy with Tosca
Publish evidence items
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxFind Security BugsGitHub Security ScannerGosecMendNexus IQSnykSonarQube bundledSonarQube
IntroductionMendSnyk
IntroductionTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate new requestUpdate existing requestGet change request state
Publish test results
CI insights for Jenkins

SBOM analysis

1 minute read

The CloudBees platform maintains a full and real-time list of direct and transitive dependencies for each binary artifact it builds, and stores it as a software bill of materials (SBOM). This list makes it easier for users to identify problematic software components, particularly where developers are using a combination of open-source components and commercial software components from third-party vendors. Maintaining real-time SBOMs is an increasingly important aspect in software security and software supply chain risk management.

The CloudBees platform can also scan SBOMs for vulnerabilities using the Grype security tool. For information on enabling Grype, refer to Manage security tools.

SBOMs must be enabled before use. Once enabled, you can review SBOMs from the security summary, and export them as CSV files or in CycloneDX format.

To enable SBOM analysis:

  1. From the Marketplace:

    1. Enable Implicit security assessment.

    2. Enable the Syft SBOM security tool.

  2. Enable binary security analysis.

Once enabled, SBOMs are created and maintained for every binary artifact the pipeline builds.

Code and binary security analysis