All tutorials

Get an SBOM from Zephyr

Zephyr generates SPDX SBOMs through its own build tool, west. You initialize the build directory, build with SBOM metadata enabled, then generate the documents. Run these on Linux in your Zephyr workspace (set up with west and the Zephyr SDK).

  1. Step 1

    Initialize the build directory

    Run this before building. It tells the build system to record the metadata that west needs to assemble the SBOM:

    # Prepare the build directory to record SBOM metadata, BEFORE building.
    west spdx --init -d build
  2. Step 2

    Build with SBOM metadata

    Build as usual, with CONFIG_BUILD_OUTPUT_META enabled so the build emits the metadata used for the SBOM:

    # Build with SBOM metadata enabled (here: hello_world for an i.MX board).
    west build -b imx8mp_evk/mimx8ml8/a53 \
      samples/hello_world -d build -- \
      -DCONFIG_BUILD_OUTPUT_META=y

    Swap the board and sample for your own. For a sysbuild project, point the later steps at the application subdirectory (for example build/hello_world) rather than the top-level build directory.

  3. Step 3

    Generate and locate the SPDX files

    After the build, generate the documents:

    # Generate the SPDX documents from the completed build.
    west spdx -d build
    # For SPDX 2.2 instead of the default 2.3:
    # west spdx -d build --spdx-version 2.2

    They are written to the build directory:

    build/spdx/app.spdx          # your application source files
    build/spdx/zephyr.spdx       # Zephyr source files
    build/spdx/build.spdx        # built output files
    build/spdx/modules-deps.spdx # module dependencies

    west emits SPDX 2.3 by default. SBOM Total reads SPDX 2.2 and 2.3 JSON and tag-value.

  4. Step 4

    Scan it

    Upload one of the SPDX files on the checker (the "I have an SBOM" tab). The build.spdx document covers the built output that ships on the device.

  5. Step 5

    Automate it (optional)

    The west ac6-sbom-checker extension does steps 1, 3 and 4 in one command: it generates the SPDX SBOM, uploads it, prints the verdict and can fail your CI when triage finds an actionable risk.

    # Copy integrations/zephyr into your workspace as a west module,
    # then build, generate the SBOM, upload and gate in one command:
    export AC6_SBOM_API=https://your-sbom-checker
    export AC6_SBOM_TOKEN=sct_your_token
    west ac6-sbom-checker -d build --fail-on actionable

    Get an API token from your account page. Yocto projects use the meta-ac6-sbom-checker layer for the same flow.

Tip

Scan the documents that matter for your release: build.spdx for what ends up on the device, and zephyr.spdx plus modules-deps.spdx for the upstream sources and module dependencies.

See alsoGet an SBOM from Yocto