Packer
HCP SBOM Provisioner
Official
Type: hcp-sbom
The hcp-sbom
Packer provisioner downloads an SBOM file from the guest machine
and sends it to HCP Packer when the build is complete (only if the template is
HCP-enabled). The SBOM file is automatically removed at the end of the process.
If you want to retain a copy of the SBOM file, you can specify the
destination
option in the provisioner.
Currently, we support CycloneDX
and SPDX
SBOM formats in JSON
.
Basic Example
In HCL2:
provisioner "hcp-sbom" {
source = "/tmp/sbom_cyclonedx.json"
destination = "./sbom/sbom_cyclonedx.json"
}
In JSON:
{
"type": "hcp-sbom",
"source": "/tmp/sbom_cyclonedx.json",
"destination": "./sbom/sbom_cyclonedx.json"
}
Configuration Reference
Required Parameters:
source
(string) - Source is a required field that specifies the path to the SBOM file that needs to be downloaded. It can be a file path or a URL.
Optional Parameters:
destination
(string) - Destination is an optional field that specifies the path where the SBOM file will be downloaded to for the user. The 'Destination' must be a writable location. If the destination is a file, the SBOM will be saved or overwritten at that path. If the destination is a directory, a file will be created within the directory to store the SBOM. Any parent directories for the destination must already exist and be writable by the provisioning user (generally not root), otherwise, a "Permission Denied" error will occur. If the source path is a file, it is recommended that the destination path be a file as well.sbom_name
(string) - The name to give the SBOM when uploaded on HCP PackerBy default this will be generated, but if you prefer to have a name of your choosing, you can enter it here. The name must match the following regexp:
[a-zA-Z0-9_-]{3,36}
Note: it must be unique for a single build, otherwise the build will fail when uploading the SBOMs to HCP Packer, and so will the Packer build command.
Example Usage
In HCL2:
packer {
required_plugins {
docker = {
version = ">= 1.0.0"
source = "github.com/hashicorp/docker"
}
}
}
source "docker" "ubuntu" {
image = "ubuntu:20.04"
commit = true
}
build {
sources = ["source.docker.ubuntu"]
hcp_packer_registry {
bucket_name = "test-bucket"
}
provisioner "shell" {
inline = [
"apt-get update -y",
"apt-get install -y curl gpg",
"bash -c \"$(curl -sSL https://install.mondoo.com/sh)\"",
"cnquery sbom --output cyclonedx-json --output-target /tmp/sbom_cyclonedx.json",
]
}
provisioner "hcp-sbom" {
source = "/tmp/sbom_cyclonedx.json"
destination = "./sbom"
}
}
In JSON:
{
"builders": [
{
"type": "docker",
"image": "ubuntu:20.04",
"commit": true
}
],
"provisioners": [
{
"type": "shell",
"inline": [
"apt-get update -y",
"apt-get install -y curl",
"bash -c \"$(curl -sSL https://install.mondoo.com/sh)\"",
"cnquery sbom --output cyclonedx-json --output-target /tmp/sbom_cyclonedx.json"
]
},
{
"type": "hcp-sbom",
"source": "/tmp/sbom_cyclonedx.json",
"destination": "./sbom"
}
]
}