diff --git a/docs/cli/how-tos/fetch_sboms.mdx b/docs/cli/how-tos/fetch_sboms.mdx new file mode 100644 index 000000000..d84819b2c --- /dev/null +++ b/docs/cli/how-tos/fetch_sboms.mdx @@ -0,0 +1,34 @@ +# How to fetch SBOMs for Sourcegraph + +Sourcegraph publishes a Software Bill of Materials (SBOM) for each of its container images. The SBOMs for each Sourcegraph release are signed, and stored in our container registry alongside our published container images. + +To retrieve the SBOMs for a specific release, you can use the `src` command line interface for Sourcegraph: + +1. Install `src` by following the [Quickstart](../quickstart.mdx). +2. Install `cosign` by following the [Installation Guide](https://docs.sigstore.dev/cosign/system_config/installation/). +3. Identify the version of Sourcegraph your require SBOMs for. This may be a [recent release](../../CHANGELOG.mdx), or your instance's current version. + 1. SBOMs are only available for Sourcegraph release 5.9.0 and later. + 2. Find your instance's current version by checking your deployment, or by visiting the Settings page on your Sourcegraph instance and checking the version shown in the bottom left corner. + ![](https://storage.googleapis.com/sourcegraph-assets/docs/images/settings/view-version-scaled.png) +4. Run `src sbom fetch -v ` to fetch SBOMs for all containers in this release. `src` will automatically validate that all SBOMs were signed by Sourcegraph. + ``` + # Fetch SBOMs for Sourcegraph release 5.9.0 + $ src sbom fetch -v 5.9.0 + + Fetching SBOMs and validating signatures for all 39 images in the Sourcegraph 5.9.0 release... + + ✅ sourcegraph/appliance + ✅ sourcegraph/batcheshelper + ✅ sourcegraph/bundled-executor + + [...] + + 🟢 Fetched verified SBOMs for 39 images + + Fetched and validated SBOMs have been written to `sourcegraph-sboms/sourcegraph-5.9.0`. + + Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used. + ``` +5. Once completed, you can find the set of validated SBOMs under `sourcegraph-sboms/sourcegraph-/`. + +**Note:** `src sbom fetch` will retrieve SBOMs for **all** containers that make up a Sourcegraph release. Your Sourcegraph instance will use only a subset of these containers - please check your deployment to determine which SBOM files are relevant to your deployment. diff --git a/docs/cli/how-tos/index.mdx b/docs/cli/how-tos/index.mdx index 65b358bf2..6c2a84d8e 100644 --- a/docs/cli/how-tos/index.mdx +++ b/docs/cli/how-tos/index.mdx @@ -5,3 +5,5 @@ The following how-tos apply to the `src` command line interface to Sourcegraph: - [Creating an access token](/cli/how-tos/creating_an_access_token) - [Revoking an access token](/cli/how-tos/revoking_an_access_token) - [Managing access tokens](/cli/how-tos/managing_access_tokens) +- [How to fetch SBOMs for Sourcegraph](/cli/how-tos/fetch_sboms) +