support

Articles in this section

How-to series: Use RKVST SBOM Hub as a private repository for SBOMs

Last updated

With RKVST, you are always in control of who you share with.

While the main purpose of RKVST and RKVST SBOM Hub is a to encourage and enable sharing of SBOMs, there are many good reasons to keep a private repository alongside your public ones. Perhaps you don't know at time of generation whether a particular build will be published, or you want to use different channels for distribution. 

Whatever the reason, RKVST SBOM Hub can keep your SBOMs safe and private to you until you're ready to share.

Couldn't be easier

In fact, storing SBOMs privately is the default behaviour of RKVST SBOM Hub. Simply POSTing an SBOM adds it to your private store but does not yet publish it to the world, nor make it searchable by anyone outside your tenancy.

Uploading an SBOM to your private repository space is a simple POST to the REST API:

curl -sS -X POST -H "Authorization: Bearer $(cat .token)" -F "sbom=@sbomfile.xml" "https://sbom.rkvst.io/archivist/v1/sboms"

NOTE: If you do want to upload and publish straight away in a single call, you have to use the 'privacy' parameter:

curl -sS -X POST -H "Authorization: Bearer $(cat .token)" -F "sbom=@sbomfile.xml" "https://sbom.rkvst.io/archivist/v1/sboms?privacy=PUBLIC"

Searching and managing your private SBOMs

All the search and fetch APIs are identical whether you’re looking at your own Private SBOMs, your published Shared SBOMs, or the Public SBOMs that have been shared by others. Optional parameters help to narrow down the search space depending on your needs: 'tenant_only' and 'privacy':

 

mceclip0.png

Impact of search parameters on search results

 

So for instance, to find all your SBOMs, regardless of publication status:

curl -sS -H "Authorization: Bearer $(cat .token)" "https://sbom.rkvst.io/archivist/v1/sboms/-/metadata?tenant_only=true" | jq

Or to find only those SBOMs that are private to you:

curl -sS -H "Authorization: Bearer $(cat .token)" "https://sbom.rkvst.io/archivist/v1/sboms/-/metadata?tenant_only=true&privacy=PRIVATE" | jq

That's it!

SBOMs are only really useful when they're shared, but we recognise that there are many reasons why publication needs to be managed, particularly when you have a large number of products and releases.

Whatever your needs, RKVST SBOM Hub is the ideal repository for you to store and share your SBOMs.

Powered by Zendesk