Get an SBOM from Zephyr
Zephyr generates SPDX SBOMs through its own build tool, west. You initialize the build directory, build with SBOM metadata enabled, then generate the documents. Run these on Linux in your Zephyr workspace (set up with west and the Zephyr SDK).
Step 1
Initialize the build directory
Run this before building. It tells the build system to record the metadata that west needs to assemble the SBOM:
# Prepare the build directory to record SBOM metadata, BEFORE building. west spdx --init -d buildStep 2
Build with SBOM metadata
Build as usual, with
CONFIG_BUILD_OUTPUT_METAenabled so the build emits the metadata used for the SBOM:# Build with SBOM metadata enabled (here: hello_world for an i.MX board). west build -b imx8mp_evk/mimx8ml8/a53 \ samples/hello_world -d build -- \ -DCONFIG_BUILD_OUTPUT_META=ySwap the board and sample for your own. For a sysbuild project, point the later steps at the application subdirectory (for example
build/hello_world) rather than the top-level build directory.Step 3
Generate and locate the SPDX files
After the build, generate the documents:
# Generate the SPDX documents from the completed build. west spdx -d build # For SPDX 2.2 instead of the default 2.3: # west spdx -d build --spdx-version 2.2They are written to the build directory:
build/spdx/app.spdx # your application source files build/spdx/zephyr.spdx # Zephyr source files build/spdx/build.spdx # built output files build/spdx/modules-deps.spdx # module dependencieswest emits SPDX 2.3 by default. SBOM Total reads SPDX 2.2 and 2.3 JSON and tag-value.
Step 4
Scan it
Upload one of the SPDX files on the checker (the "I have an SBOM" tab). The
build.spdxdocument covers the built output that ships on the device.Step 5
Automate it (optional)
The
west ac6-sbom-checkerextension does steps 1, 3 and 4 in one command: it generates the SPDX SBOM, uploads it, prints the verdict and can fail your CI when triage finds an actionable risk.# Copy integrations/zephyr into your workspace as a west module, # then build, generate the SBOM, upload and gate in one command: export AC6_SBOM_API=https://your-sbom-checker export AC6_SBOM_TOKEN=sct_your_token west ac6-sbom-checker -d build --fail-on actionableGet an API token from your account page. Yocto projects use the
meta-ac6-sbom-checkerlayer for the same flow.
Tip
Scan the documents that matter for your release: build.spdx for what ends up on the device, and zephyr.spdx plus modules-deps.spdx for the upstream sources and module dependencies.