We are excited to share a new Bytesafe feature that will help you manage and secure your supply chain: the ability to import Software Bill of Materials (SBOM) files into Bytesafe. This enhancement, designed with our users' needs in mind, is a significant stride towards improved software supply chain security. It offers a solution to track current and potential vulnerabilities in your dependencies without sharing your proprietary source code or other sensitive data.
SBOM: A Game-Changer in Software Dependency Management
Before we delve into how to use this feature, let’s take a brief look at what an SBOM is and how it can be beneficial. A Software Bill of Materials is essentially a compiled list of components, libraries, and modules used in a software, along with other pertinent information such as version numbers and supplier details.
SBOMs offer a clear and accurate inventory of your software dependencies, offering transparency into your software supply chain and empowering you to proactively mitigate potential security risks. Up until now, managing an SBOM has been a somewhat manual and time-consuming process. But with Bytesafe’s new feature, you can automate this process. Making it much simpler, quicker, and more efficient.
How to Use the New SBOM Import Feature
To import a Software Bill of Materials (SBOM) to Bytesafe, there are two methods. The first option is to use the Import from SBOM function in the Source repositories section in Bytesafe. This feature allows you to directly import an SBOM file from your computer into Bytesafe.
Alternatively, you can use the Bytesafe API to import the SBOM. This involves sending a POST request to the endpoint at https://<WORKSPACE>.bytesafe.dev/import/sbom. For this method, you would need to replace <WORKSPACE> with the name of your specific Bytesafe workspace. This method may be especially beneficial for automating the import process or integrating it into an existing CI/CD workflow.
By importing an SBOM, Bytesafe users can keep track of current and future vulnerabilities in their dependencies without having to share their proprietary source code.
Below is an example using Trivy, which is a simple and comprehensive vulnerability scanner for containers and filesystems. Trivy will generate the SBOM in CycloneDX format (a lightweight specification designed for use in application security contexts and supply chain component analysis), which Bytesafe accepts. There are plenty of great SCA tools out there that can generate an SBOM in the CycloneDX format: Snyk, Sonatype, Mend and Syft to name a few.
Here is an example using Trivy that scans a directory and uploads the created SBOM to Bytesafe :
$ trivy filesystem --format cyclonedx my-source-project | curl -d@- \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <TOKEN>' https://<WORKSPACE>.bytesafe.dev/import/sbom
Just replace <TOKEN> with your Bytesafe Access Token and <WORKSPACE> with your Bytesafe workspace. Once your SBOM is uploaded to Bytesafe, you’ll be able to track dependencies and their vulnerabilities, giving you insight into potential risks and exposure.
For more information regarding Bytesafe SCA and SBOM import, please see the docs.
The Future of Secure Code with Bytesafe
Our new SBOM import feature provides users with an increased level of control over their software supply chain. As always, privacy is paramount to us at Bytesafe, and with this feature, you can enjoy transparency and security in your dependencies without revealing your proprietary source code.
In a world where software dependencies are increasing and security is becoming more crucial than ever, this new feature offers a proactive solution for software developers to identify, manage, and mitigate potential risks in their codebase.
We hope you find this new feature beneficial, and we can’t wait to hear your feedback. If you have any queries or need any assistance, don’t hesitate to reach out to us. Stay tuned for more exciting updates from Bytesafe.
Happy coding!
