Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Inspecting your SBOM using Red Hat Trusted Profile Analyzer

Red Hat Advanced Developer Suite - software supply chain 1.8

Learn how to scan your SBOM to gain actionable information about the security posture of your application.

Red Hat Customer Content Services

Abstract

This document provides information about how to review SBOM to gain actionable information about the security posture of your application.

Preface
Copy link

When Red Hat Advanced Developer Suite - software supply chain builds your application images, it also provides a software bill of materials (SBOM). The SBOM lists all the software libraries that the image uses. You can use the SBOM to identify security vulnerabilities.

However, the SBOM is long and difficult to read. To turn the raw SBOM into actionable information, you can use the Trusted Profile Analyzer (TPA). For example, the TPA can identify dependencies in your image that are targets of known Common Vulnerabilities and Exploits (CVEs).

The following procedure explains how to inspect your software bill of materials (SBOM) with the Red Hat Trusted Profile Analyzer (RHTPA). Specifically, the procedure outlines how to download an SBOM, convert the SBOM into a compatible format, and analyze the SBOM with the RHTPA.

Note

You shouldn’t require this procedure because the Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) 1.8 automatically publishes your SBOM to the RHTPA when building your application with any of the supported CI providers.

Follow this procedure if you prefer to extract the SBOM manually and keep a local copy.

Prerequisites

You have installed the following software on your cluster:

  • Cosign
  • Syft
  • jq

Procedure

  1. In your container registry, find the full address of the container image whose SBOM you want to inspect. The address has the following format: 

    <registry>/<namespace>/<image>:<tag>
    Copy to Clipboard Toggle word wrap

    For example: 

    quay.io/app/app-image:ff59e21cc…
    Copy to Clipboard Toggle word wrap
    Note

    Do not use the address of the SBOM image, which ends with .sbom. Use the address of the image for the actual application.

  2. Use cosign to download the SBOM by running the following command: 

    $ cosign download sbom <registry>/<namespace>/<image>:<tag> \
  > /tmp/sbom.json
    Copy to Clipboard Toggle word wrap

    Redirect the output to a file you can reference later. Make sure the new filename ends with .json.

  3. (Optional) Your SBOM is displayed in the RHTPA UI with a name listed in this .json file. By default, Syft creates that name based on the filepath of the SBOM. If you want your SBOM to appear in the RHTPA UI with a more meaningful name, you must manually change it in the .json file you just downloaded. Specifically, you must replace the name in the .metadata.component object. You can optionally add a version field. 

    $ vim /tmp/sbom.json
    Copy to Clipboard Toggle word wrap 
    "component": {
      "bom-ref": "fdef64df97f1d419",
      "type": "file",
      "name": "/var/lib/containers/storage/vfs/dir/3b3009adcd335d2b3902c5a7014d22b2beb6392b1958f1d9c7aabe24acab2deb" #Replace this with a meaningful name
    }
    Copy to Clipboard Toggle word wrap

  4. Store the Bombastic API URL as an environment variable by running the following command: 

    $ bombastic_api_url="https://$(oc -n tssc-tpa get route \
  --selector app.kubernetes.io/name=bombastic-api \
  -o jsonpath='{.items[].spec.host}')"
    Copy to Clipboard Toggle word wrap
    Note

    In this command and the next command, after -n, be sure to enter the namespace in which you installed RHADS - SSC. The examples assume you used a namespace called tssc.

  5. Create a new token_issuer_url environment variable by running the following command and value: 

    $ token_issuer_url=https://$(oc -n tssc-keycloak get route \
  --selector app=keycloak \
  -o  jsonpath='{.items[].spec.host}')/realms/chicken/protocol/openid-connect/token
    Copy to Clipboard Toggle word wrap

  6. Set the TPA__OIDC__WALKER_CLIENT_SECRET environment variable and provide your TPA OIDC Walker client secret as its value: 

    $ TPA__OIDC__WALKER_CLIENT_SECRET=$(kubectl get \
  -n tssc secrets/tssc-trustification-integration \
  --template={{.data.oidc_client_secret}} | base64 -d)
    Copy to Clipboard Toggle word wrap

  7. Obtain a token for the Bombastic API by running the following command: 

    $ tpa_token=$(curl \
    -d 'client_id=walker' \
    -d "client_secret=$TPA__OIDC__WALKER_CLIENT_SECRET" \
    -d 'grant_type=client_credentials' \
    "$token_issuer_url" \
| jq -r .access_token)
    Copy to Clipboard Toggle word wrap

    The token allows you to upload the SBOM.

  8. Upload the SBOM by running the following command: 

    curl \
    -H "authorization: Bearer $tpa_token" \
    -H "transfer-encoding: chunked" \
    -H "content-type: application/json" \
    --data @/tmp/sbom.json \
    "$bombastic_api_url/api/v2/sbom?id=my-sbom"
    Copy to Clipboard Toggle word wrap

    1. If you receive the error message storage error: invalid storage content, use Syft to convert your SBOM to an earlier version such as CycloneDX version 1.4 by running the following command: 

      $ syft convert /tmp/sbom.json -o cyclonedx-json@1.4=/tmp/sbom-1-4.json
      Copy to Clipboard Toggle word wrap

      You can disregard warnings about merging packages with different pURLs. These warnings indicate that Syft might discard some data from the original SBOM, but that data is not crucial.

    2. Upload the SBOM again by running the following command: 

      $ curl \
    -H "authorization: Bearer $tpa_token" \
    -H "transfer-encoding: chunked" \
    -H "content-type: application/json" \
    --data @/tmp/sbom-1-4.json \
    "$bombastic_api_url/api/v2/sbom?id=my-sbom"
      Copy to Clipboard Toggle word wrap
  9. Access your cluster that is running RHADS - SSC through the OpenShift Console.
  10. In the tssc project, navigate to Networking > Routes. Open the URL listed on the same row as the spog-ui service.
  11. Use the Register button to create a new account and authenticate to RHTPA.

  12. Select your SBOM (the most recent upload) and see what insights RHTPA has provided about your application based on that SBOM.

    1. Go to the Dependency Analytics Report tab to view vulnerabilities and remediations.

Revised on 2026-02-04 23:24:07 UTC

Legal Notice
Copy link

Copyright © Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top