Automating SBOMs

Tidelift analyzes package manager manifest and lockfiles (usually from a source code repository), as well as software bills of material in CycloneDX and SPDX format.

To collect and explore SBOMs, you must have projects created. “Projects” are what Tidelift calls an individual application or repository in your organization.

You can do this easily by generating API keys, configuring in your build pipeline stages, and calling the Tidelift CLI.

For tracking risk in your organization, Tidelift recommends tracking the versions of software that are deployed in your environment. Generally, this would be the main  or production branch of your source control repository.

Create a new project

  1. Ensure you are authenticated to use Tidelift CLI with your User or Organization API Key.
  2. Go to the root directory of your local software project / source control repository.
  3. Run tidelift projects new in the root directory of the project. You will need to provide a name for the project.

Upload a manifest to track dependencies

  1. Ensure you are authenticated to use Tidelift CLI with your Organization or Project API Key
  2. Run tidelift alignment savein the root directory of the project. This will upload any discovered manifests, analyze the dependencies, and create your bill of materials.

How to track projects at scale across your organization

Using a periodic sync process with Tidelift

If you have access to your source control hosting system, it is straightforward to perform a periodic sync of your repositories with Tidelift.

For example, a scheduled task every day could:

  • Install the Tidelift CLI
  • Check out the main branch of each repository that is tracked, and:
    • Run tidelift projects new to create the project (ignoring any errors if it already exists)
    • Run tidelift alignment savein the root directory of the project.

This ensures your bills of material are up-to-date.

Using Tidelift within Continuous Integration (CI)

By integrating the Tidelift CLI inside your continuous integration (CI) environment, you can automatically create new bills of materials every time your software is built.

Tidelift provides sample integration scripts for many common CI environments. To learn more about how to use Tidelift within your CI environment, see Using Tidelift with CI.

Tidelift is available to help

Tidelift support is available to ensure that you are successful at scale. Contact Tidelift support for more detailed information on how to integrate at scale in your environment, get sample integration scripts, and more.

Was this article helpful?
1 out of 1 found this helpful

Articles in this section