nix2sbom extracts the SBOM (Software Bill of Materials) from a Nix derivation
- Supports CycloneDX 1.4 format
- Supports SPDX 2.3 format (Experimental)
- Supports JSON and YAML serialization formats
- Generates a SBOM for your current
NixOSsystem - Detects and handles patches
- Discovers git URLs (using archive URLs)
Here is an example of how to generate an SPDX manifest for your nix flake in a GHA workflow:
generate-sbom-manifests:
name: Generate SPDX SBOM manifest
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Nix
- uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
- name: Install nix2sbom
uses: EricCrosson/install-github-release-binary@681cc3de7c5c5ac935b1a2a19e4e0c577c4d3027 # v2.3.4
with:
targets: louib/nix2sbom/nix2sbom@v2.4.5
- name: Generate the SPDX manifest
run: |
nix2sbom .# -f spdx > sbom.spdx.jsonAssuming that you have enabled both the flakes and nix-command experimental features:
nix profile install github:louib/nix2sbom
cargo install --path .