HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Manage artifact software bill of materials

This topic describes how to upload software bill of materials (SBOM) files and associate them with an artifact version in the HCP Packer registry.

Requirements

A Plus tier registry is required to upload and download SBOM files. Refer to Manage registry for details about viewing and changing your registry tier.

Overview

A software bill of materials stores a reference of an artifact's package metadata, and is useful to help with security and compliance audits. You can upload existing SBOM files to HCP Packer and associate them with an artifact version with the hcp-sbom provisioner or the HCP Packer registry API.

Create a software bill of materials

Packer does not generate SBOM files, so you must use a third-party tool to create them. HCP Packer requires SBOM files to be in either SPDX or CycloneDX format. For an example Packer template that uses the provisioner, refer to the Track Packer artifact package bill of materials tutorial.

Upload the software bill of materials

You can upload SBOM files to the HCP Packer registry using either the hcp-sbom provisioner or by using the HCP Packer API.

Upload using the provisioner

You can use the hcp-sbom provisioner in your Packer template to upload an SBOM from your artifact to the HCP Packer registry.

  1. Add the hcp-sbom provisioner to your Packer template, for example: 

    provisioner "hcp-sbom" {
  source = "/tmp/sbom-cyclonedx-0.3.json"
}

    Refer to the hcp-sbom provisioner reference for more information.

  2. Run the packer init command to install the provisioner.

  3. Run packer build to upload the SBOM file.

Upload using the API

Refer to the UploadSboms API reference for more information on this API endpoint

Download artifact software bill of materials

You can download SBOM files from the HCP Packer registry using the UI or the API.

Download from the UI

  1. Open the artifact version overview page.
  2. Click the Download SBOM drop-down and choose the SBOM you want to download.

Download using the API

Send a GET request to the /GetSbom HCP Packer API endpoint to download SBOM files using the HCP Packer registry API.