The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

JFrog Generate SBOMs

Learn how to generate SBOMs with JFrog CLI, JFrog IDE and Xray.

A Software Bill of Materials is a machine-readable inventory of all components, libraries and dependencies shipped inside software.

This page shows how to generate SBOMs during the development lifecycle.

Important

This page focuses on SBOM generation and visibility. For policy enforcement, violation management, and license compliance, see Xray License Scanning .

SBOMs generation with JFrog CLI

You can locally use the JFrog CLI and Xray, either from source manifests or from compiled artifacts, before (or even without) pushing artifacts to Artifactory.

Requirements

You will need a JFrog CLI-enabled CI image and an Xray-enabled JFrog Platform instance.

RequirementNotes
JFrog Xray ≥ 3.xRequired to enrich scan results with CVE data
Recent jf CLI > 2.48Bundled in the Docker image <jf-cli-docker-image> used by CI jobs
CI variablesCICD_ARTIFACTORY_SERVER, CICD_ARTIFACTORY_USERNAME, CICD_ARTIFACTORY_TOKEN

Configuring the JFrog CLI in CI

The .jfrog-configure hidden job is reused by all jobs. It registers a named server profile so subsequent jf commands know where to connect.

# gitlab-ci.yml — shared configuration anchor
.jfrog-configure:
  script:
    # Print version to confirm the correct jf CLI image is used
    - jf --version

    # Register the Artifactory instance under a local profile name
    - jf c add <artifactory-server> \
        --insecure-tls=false \
        --url=$CICD_ARTIFACTORY_SERVER \
        --user=$CICD_ARTIFACTORY_USERNAME \
        --access-token=$CICD_ARTIFACTORY_TOKEN

    # Make "<artifactory-server>" the default server for this job
    - jf c use <artifactory-server>

Source analysis with jf audit

jf audit analyses your project’s dependency manifest and resolves the full dependency tree without requiring a compiled artifact (without building a binary).

Xray then cross-references each component against its vulnerability database.

Tip

This page uses Maven and Python as examples, but jf audit supports many ecosystems via dedicated flags: --gradle, --npm, --yarn, --pip, --go, --nuget, and others.

Source scan for a Java project

# gitlab-ci.yml — jf-audit-sbom-from-source
jf-audit-sbom-from-source:
  stage: security-sca
  image: $CI_REGISTRY_IMAGE/jf-cli-with-maven:latest
  script:
    - !reference [.jfrog-configure, script]
    # Machine-readable CycloneDX SBOM with vulnerability enrichment
    - jf audit --mvn --sca --sbom --format cyclonedx > <application-name>-source.cdx.json

  artifacts:
    paths:
      - <application-name>-source.cdx.json
    reports:
      cyclonedx:
        - <application-name>-source.cdx.json   # Parsed by GitLab dependency scanning UI
    expire_in: 1 week # Adjust based on your compliance and storage requirements

Source scan for a Python project

Note

jf pip install must run before jf audit --pip so the JFrog CLI can record the resolved dependency tree. Without it, jf audit --pip cannot fully resolve transitive dependencies.

# gitlab-ci.yml — jf-audit-sbom-from-source-python
jf-audit-sbom-from-source-python:
  stage: security-sca
  image: $CI_REGISTRY_IMAGE/<jf-cli-docker-image>:latest
  script:
    - !reference [.jfrog-configure, script]
    # Resolve the dependency tree via pip before auditing
    - jf pip install -r requirements.txt
    - jf audit --pip --sca --sbom --format cyclonedx > <python-application>-source.cdx.json
  artifacts:
    paths:
      - <python-application>-source.cdx.json
    expire_in: 1 week # Adjust based on your compliance and storage requirements

Key flags explained

FlagEffect
--mvnInstructs the CLI to treat this as a Maven project and read pom.xml
--pipInstructs the CLI to treat this as a Python project and read requirements.txt
--sbomIncludes SBOM data in the output
--scaRuns Software Composition Analysis (dependency vulnerability scanning)
--format cyclonedxEmits a CycloneDX 1.6 JSON document rather than the default tabular output
--project(Optional) Associates results with a named JFrog Project to enable Xray policy evaluation — see Xray License Scanning

Binary analysis with jf scan

jf scan operates on a compiled artifact that Xray unpacks, then identifies every embedded library by its hash and metadata, and maps each to known CVEs.

Tip

jf scan is not limited to JARs — it works on any packaged artifact: archives (.zip, .tar.gz), Python wheels, npm tarballs, and so on.

Binary scan for a Java project

In this case the JAR produced by mvn clean install is analysed. Your CI image should have both the jf CLI and mvn installed.

# gitlab-ci.yml — jf-scan-sbom-from-jar
jf-scan-sbom-from-jar:
  variables:
    CICD_XRAY_SCAN_TARGET: "target/<application-name>-0.0.1-SNAPSHOT-jar-with-dependencies.jar"
  stage: security-sca
  image: $CI_REGISTRY_IMAGE/<jf-cli-with-maven-docker-image>:latest
  script:
    - !reference [.jfrog-configure, script]

    # Compile and package the fat JAR first
    - mvn clean install

    # Scan the compiled artifact and emit a CycloneDX SBOM
    - jf scan $CICD_XRAY_SCAN_TARGET --sbom --format cyclonedx > <application-name>-build.cdx.json

  artifacts:
    paths:
      - <application-name>-build.cdx.json
    expire_in: 1 week # Adjust based on your compliance and storage requirements
Note

For the sake of the example, this job runs mvn clean install inline.

In production, consider splitting the compilation into a dedicated earlier job and passing the JAR forward as a pipeline artifact to the scan job.

Important

The current pipeline stores SBOMs as GitLab CI job artifacts, which is a valid starting point. For long-term retention and governance, consider also uploading SBOMs to Artifactory.

Container analysis with jf docker scan

jf docker scan analyses container images by unpacking their layers and identifying all embedded libraries and OS packages. Xray then maps these components to known CVEs and enriches the output with SBOM data.

Tip

The OS packages detected in a container image (Ubuntu, Alpine, Debian packages…) significantly increase the component count and vulnerability findings compared to source or binary scans. These OS-level packages are included in the CycloneDX SBOM output alongside application dependencies.

Container scan for a Docker image

The example below assumes the Docker image <application-app>:latest is already built and available locally on the CI runner, and that your CI image includes both the jf CLI and Docker client.

# gitlab-ci.yml — jf-docker-scan-sbom
jf-docker-scan-sbom:
  stage: security-sca
  image: $CI_REGISTRY_IMAGE/<jf-cli-with-docker-image>:latest
  script:
    - !reference [.jfrog-configure, script]

    # Optional: build or pull the image if it is not already present
    # - docker build -t <application-app>:latest .
    # - docker pull <application-app>:latest

    # Scan the container image and emit a CycloneDX SBOM
    - jf docker scan <application-app>:latest \
        --sbom --format cyclonedx > <application-app>-docker.cdx.json

  artifacts:
    paths:
      - <application-app>-docker.cdx.json
    expire_in: 1 week # Adjust based on your compliance and storage requirements

Generate SBOMs from the JFrog platform

Xray scans artifacts in indexed repositories, builds, and release bundles and exposes SBOM data directly from the artifact view.

Note

Git repository indexing is not supported in the Software Factory and by the platforms.

Only artifacts associated with the selected resources are scanned for security vulnerabilities and evaluated against your defined policies.

As a project admin:

  1. From your Project home page, navigate to the Administration tab.
  2. In the left sidebar, select Xray Settings > Indexed Resources .
  3. From this screen you can review resources that are already indexed, add or remove resources for indexing, and configure indexing settings.

Add a repository to the index

As a project admin:

  1. From your Project home page, navigate to the Administration tab.
  2. In the left sidebar, select Xray Settings > Indexed Resources .
  3. Click Add a repository.
  4. In the Available Repositories list, select the repository you want to index. Use the search bar to find a specific repository if needed.
  5. Click the right arrow button (→) to move the selected repository to the Selected Repositories list.
  6. Click Save to apply the changes.

“indexed Resources”

Review and configure index settings

As a project admin:

  1. From your Project home page, navigate to the Administration tab.
  2. In the left sidebar, select Xray Settings > Indexed Resources .
  3. Review the status of the indexing in the Index Status column.
  4. Review the retention period of the scan in the Retention column.
  5. Select at the end of a row to configure repository indexing:
    • Change the retention period.
    • Change the scanning policy to Scan All Artifacts or Scan by Pattern.
Note

The retention period defines how long Xray keeps scan data for each artifact after it is scanned. The default is 90 days and the maximum is 1000 days.

Review a scan of an artifact

Important

Artifacts uploaded before the repository was indexed are not scanned automatically. To scan them, use Index Now (whole repository) or Scan Now (targeted scan) as described in the sections below.

Trigger a targeted scan

  1. From your Project home page, at the Platform tab, go to Xray > Scans List > Binary Scans .
  2. Select Scan Now.
  3. Select Repositories.
  4. Choose the repository that contains the artifacts you want to scan.
  5. Optionally narrow the scope by:
    • Repository path (folder / sub-folder)
    • Name pattern (e.g. *.jar, *.tgz)
  6. Click Scan to start the scan.

Xray indexes and scans the selected artifacts and displays their status in the Binary Scans list.

Trigger a scan for an entire repository

As a project admin:

  1. From your Project home page, navigate to the Administration tab.
  2. In the left sidebar, select Xray Settings > Indexed Resources .
  3. Select the Repositories tab.
  4. Select the repository you want to scan and click at the end of the row.
  5. Select Index Now.

Xray indexes and scans all artifacts inside the selected repository.

View vulnerabilities and SBOM information

Once the scan is complete:

  1. Go to Artifactory → Artifacts.
  2. Browse to the repository and select the artifact you scanned.
  3. Open the Xray tab:
    • Policy Violations: a summary of policy breaches detected.
    • Security Issues: CVEs, severities, and affected components.
    • SBOM: most common licenses found and component types.
  4. At the top of the Xray tab, click .
  5. Select Export Scan Data.
  6. Select SBOM on the left, then CycloneDX under SBOM Standard, and JSON under Format.

“Export SBOM”


CLI command reference

The following commands are covered in the CLI section above. For policy enforcement options, see Xray License Scanning .

GoalCommand
SBOM from source (Maven)jf audit --mvn --sca --sbom --format cyclonedx
SBOM from source (Python)jf audit --pip --sca --sbom --format cyclonedx
SBOM from compiled JARjf scan ./target/app.jar --sbom --format cyclonedx
SBOM from container imagejf docker scan <image>:<tag> --sbom --format cyclonedx
Link results with an Xray projectjf audit --mvn --project <project-key> --sbom
Fail build on policy violationjf audit --mvn --fail ¹
Upload SBOM to Artifactoryjf rt upload <file.cdx.json> <repo-path>
List configured serversjf c show

¹ Requires an active Watch with a Fail Build policy action configured for the project. See Xray License Scanning for setup instructions.