A tool to generate SBOM (Software Bill of Material) from source code artifacts.
NOTE: Covenant requires all projects to have been built, and all dependencies to have been restored to make an as accurate analysis as possible.
- .NET 5 / .NET 6
- .NET Core
- NPM
Install by running the following command:
dotnet tool install covenant
Usage:
covenant generate [<PATH>] [options]
Arguments:
<PATH> A file or directory to use as input
Options:
-o, --output <FILE> The output path of the SBOM file
-n, --name <NAME> The SBOM name
-v, --version <VERSION> The SBOM version [default: 0.0.0]
--design-time-build Performs a design time build for .NET projects [default: False]
--no-dev-dependencies Excludes dev dependencies [default: False]
-?, -h, --help Show help and usage information
To generate an Covenant SBOM from the current directory:
dotnet covenant generate
To generate an Covenant SBOM from a specific directory:
dotnet covenant generate "C:\Source\Foo"
To generate an Covenant SBOM from a specific file:
dotnet covenant generate "C:\Source\Foo\Foo.sln"
Usage:
covenant convert [command] [options]
Options:
-?, -h, --help Show help and usage information
Commands:
cyclonedx <PATH>
spdx <PATH>
Usage:
covenant convert spdx <PATH> [options]
Arguments:
<PATH> The Covenant SBOM file to convert
Options:
-o, --output <FILE> The output path
--namespace <namespace> The SPDX namespace
-?, -h, --help Show help and usage information
dotnet covenant convert spdx "C:\Source\Foo\Foo.covenant.json"
Usage:
covenant convert cyclonedx <PATH> [options]
Arguments:
<PATH> The Covenant SBOM file to convert
Options:
-o, --output <FILE> The output path
-?, -h, --help Show help and usage information
dotnet covenant convert cyclonedx "C:\Source\Foo\Foo.covenant.json"
Usage:
covenant report <PATH> [options]
Arguments:
<PATH> The Covenant SBOM file to create a HTML report for
Options:
-o, --output <FILE> The output path of the HTML report
-?, -h, --help Show help and usage information
dotnet covenant report "C:\Source\Foo\Foo.covenant.json"
Usage:
covenant check <PATH> [options]
Arguments:
<PATH> The Covenant SBOM file to run compliance checks for
Options:
-c, --configuration <FILE> The Covenant configuration file to use
-?, -h, --help Show help and usage information
dotnet covenant check "C:\Source\Foo\Foo.covenant.json"
You can put a file called covenant.config
next to the SPDX report,
or providing one via the --config
parameter, to configure the
compliance rules.
{
"licenses": {
"banned": [
"MIT"
]
}
}
We're using Cake as a dotnet tool for building. So make sure that you've restored Cake by running the following in the repository root:
> dotnet tool restore
After that, running the build is as easy as writing:
> dotnet cake