Skip to main content

Uploading SBOMs from CI/CD

This guide shows how to upload an SBOM artifact to Memfault from a CI/CD pipeline using the Memfault CLI. Uploading from CI keeps the SBOM in sync with the software version it describes, so each released build has a matching bill of materials in Memfault.

Methodology

The general flow is:

  1. Build the firmware (or image) as part of the CI job.
  2. Generate the SBOM file alongside the build. See the SBOM generation guides for platform-specific instructions (Zephyr, nRF Connect SDK, ESP32, Yocto).
  3. Use the Memfault CLI's upload-software-version-sbom command to attach the SBOM to the corresponding Software Version in Memfault.

The --software-type and --software-version passed to the CLI must match the values reported by your device. Each Software Version may have at most one SBOM attached, so the upload step should run once per released version (e.g. gated on a tag build).

Authentication

The CLI requires an Organization Auth Token. Store the token and your organization/project slugs as CI secrets and pass them to the CLI via environment variables or command-line flags. See Authentication for the full list of supported methods.

GitHub Actions example

The following workflow snippet builds the firmware, generates an SBOM, and uploads it to Memfault. It assumes the following GitHub Actions secrets are configured:

  • MEMFAULT_ORG_TOKEN - an Organization Auth Token.
  • MEMFAULT_ORG - the organization slug.
  • MEMFAULT_PROJECT - the project slug.
.github/workflows/memfault-sbom.yml
on:
  # only upload SBOMs for tag builds, to match released software versions
  push:
    tags:
      - "v*"

env:
  # these must match the values reported by your device
  SOFTWARE_TYPE: stm32-fw

jobs:
  upload-sbom:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Build firmware and generate SBOM
        id: build
        run: |
          # derive the software version from the tag, e.g. refs/tags/v1.0.0 -> 1.0.0
          VERSION="${GITHUB_REF_NAME#v}"
          echo "version=${VERSION}" >> "${GITHUB_OUTPUT}"

          # <your build commands here, producing build/sbom.json>

      - name: Install Memfault CLI
        run: pip install memfault-cli

      - name: Upload SBOM to Memfault
        run: |
          memfault \
            --org-token ${{ secrets.MEMFAULT_ORG_TOKEN }} \
            --org ${{ secrets.MEMFAULT_ORG }} \
            --project ${{ secrets.MEMFAULT_PROJECT }} \
            upload-software-version-sbom \
              --software-type ${{ env.SOFTWARE_TYPE }} \
              --software-version ${{ steps.build.outputs.version }} \
              build/sbom.json
tip

If you already upload symbols or deploy releases from CI (see Automated symbol and release upload), add the SBOM upload to that same workflow so all release artifacts are published together.

Replacing an existing SBOM

Only a single SBOM can be attached to a Software Version. If a build is re-run for the same version, the upload step will fail because an SBOM is already attached. To replace it, delete the existing SBOM via the Versions tab or the API first, then re-run the upload.

Last updated on
This page is human-authored. If you see any errors, outdated information, or any other suggestions for improving the contents, please contact us!