Unofficial Azure DevOps extension for microsoft/sbom-tool. Sbom-tool runs locally on your pipeline agent without the need for subscriptions, account sign-ups, or shipping your data to a third-party service; All generated manifest files are published directly to your build artifacts and can be viewed in a human-friendly format from the "SBOM" build result tab.
Check referenced packages for known vulnerabilities against the GitHub Advisory Database.
View referenced packages, including the package manager, type, dependency hierarchy, license, supplier, and vulnerability counts:
View manifest relationships as a network graph or export to SVG.
Export manifest objects to XLSX workbook.
Install the extension from the Visual Studio marketplace.
In YAML pipelines:
jobs:
- job: publish
steps:
- task: DotNetCoreCLI@2
displayName: 'Publish project'
inputs:
command: 'publish'
publishWebProjects: true
arguments: '--output "$(Build.ArtifactStagingDirectory)"'
- task: sbom-tool@1
displayName: 'Generate project SBOM manifest'
inputs:
command: 'generate'
buildSourcePath: '$(Build.SourcesDirectory)'
buildArtifactPath: '$(Build.ArtifactStagingDirectory)'
enableManifestSpreadsheetGeneration: true
enableManifestGraphGeneration: true
enablePackageMetadataParsing: true
fetchLicenseInformation: true
fetchSecurityAdvisories: true
gitHubConnection: 'GitHub Advisory Database Connection'
packageSupplier: 'MyOrganisation'
packageName: 'MyPackage'
packageVersion: '$(Build.BuildNumber)'
- task: PublishBuildArtifacts@1
displayName: 'Publish artifacts'
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
ArtifactName: 'drop'
publishLocation: 'Container'The SBOM manifest files will be uploaded to the build artifacts, under the _manifest folder.
