{"id":13717441,"url":"https://github.com/patriksvensson/covenant","last_synced_at":"2025-04-15T16:41:50.609Z","repository":{"id":139587218,"uuid":"548592243","full_name":"patriksvensson/covenant","owner":"patriksvensson","description":"A tool to generate SBOM (Software Bill of Material) from source code artifacts.","archived":false,"fork":false,"pushed_at":"2024-03-25T09:46:37.000Z","size":114,"stargazers_count":64,"open_issues_count":10,"forks_count":7,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-28T22:35:02.049Z","etag":null,"topics":["cyclonedx","openchain","sbom","spdx"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/patriksvensson.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/funding.yml","license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"patriksvensson"}},"created_at":"2022-10-09T21:53:47.000Z","updated_at":"2025-02-08T12:30:15.000Z","dependencies_parsed_at":"2024-03-25T10:48:29.977Z","dependency_job_id":"74de81cd-d9d0-4a88-b2ad-fba62197c217","html_url":"https://github.com/patriksvensson/covenant","commit_stats":{"total_commits":19,"total_committers":4,"mean_commits":4.75,"dds":"0.21052631578947367","last_synced_commit":"d0a5b88ff9cf019df3af0168e244a52794aee0b1"},"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patriksvensson%2Fcovenant","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patriksvensson%2Fcovenant/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patriksvensson%2Fcovenant/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patriksvensson%2Fcovenant/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/patriksvensson","download_url":"https://codeload.github.com/patriksvensson/covenant/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249110339,"owners_count":21214313,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyclonedx","openchain","sbom","spdx"],"created_at":"2024-08-03T00:01:22.270Z","updated_at":"2025-04-15T16:41:50.588Z","avatar_url":"https://github.com/patriksvensson.png","language":"C#","funding_links":["https://github.com/sponsors/patriksvensson"],"categories":["Dependency intelligence"],"sub_categories":["SCA and SBOM"],"readme":"# Covenant\n\nA tool to generate SBOM (Software Bill of Material) from source code artifacts.\n\nNOTE:\nCovenant requires all projects to have been built, and all dependencies to have been restored to make an as accurate analysis as possible.\n\n## Supported SBOM formats\n\n* [CycloneDx](https://cyclonedx.org/)\n* [SPDX](https://spdx.dev/)\n\n## Supported sources\n\n* .NET 5 to .NET 8\n* .NET Core\n* NPM\n* CycloneDX BOM\n  * `*.cdx.xml` or `bom.xml`\n\n## Installation\n\nInstall by running the following command in your repository:\n\n```shell\n$ dotnet tool install covenant\n```\n\nYou can also install Covenant globally on your machine:\n\n```shell\n$ dotnet tool install -g covenant\n``````\n\n## Configuration file\n\nThe configuration file is used to configure different aspects of Covenant.\n\n```json\n{\n    \"$schema\": \"https://raw.githubusercontent.com/patriksvensson/covenant/main/schema/0.14.json\"\n    \n    // Used for arbitrary files to be included in the SBOM (optional)\n    \"files\": [\n        {\n            \"path\": \"./files/lol.txt\",\n            \"license\": \"MIT\"\n        },\n        {\n            \"path\": \"./**/foo.c\"\n        }\n    ],\n    \n    // Used for compliance checks (optional)\n    \"licenses\": { \n        \"banned\": [\n            \"MIT\"\n        ]\n    }\n}\n```\n\n## Generate Covenant SBOM\n\n```\nUsage:\n  covenant generate [\u003cPATH\u003e] [options]\n\nArguments:\n  \u003cPATH\u003e  A file or directory to use as input\n\nOptions:\n  -o, --output \u003cFILE\u003e         The output path of the SBOM file\n  -n, --name \u003cNAME\u003e           The SBOM name\n  -v, --version \u003cVERSION\u003e     The SBOM version [default: 0.0.0]\n  -m, --metadata \u003cmetadata\u003e   Arbitrary metadata in the form 'key=value'\n  -c, --configuration \u003cFILE\u003e  The Covenant configuration file to use\n  --design-time-build         Performs a design time build for .NET projects [default: False]\n  --no-dev-dependencies       Excludes dev dependencies for NPM projects [default: False]\n  -?, -h, --help              Show help and usage information\n```\n\nTo generate an Covenant SBOM from the current directory:\n\n```bash\ndotnet covenant generate \n```\n\nTo generate an Covenant SBOM from a specific directory:\n\n```bash\ndotnet covenant generate \"C:\\Source\\Foo\"\n```\n\nTo generate an Covenant SBOM from a specific file:\n\n```bash\ndotnet covenant generate \"C:\\Source\\Foo\\Foo.sln\"\n```\n\n## Convert Covenant SBOM to third party SBOM formats\n\n```\nUsage:\n  covenant convert [command] [options]\n\nOptions:\n  -?, -h, --help  Show help and usage information\n\nCommands:\n  cyclonedx \u003cPATH\u003e\n  spdx \u003cPATH\u003e\n```\n\n### SPDX\n\n```\nUsage:\n  covenant convert spdx \u003cPATH\u003e [options]\n\nArguments:\n  \u003cPATH\u003e  The Covenant SBOM file to convert\n\nOptions:\n  -o, --output \u003cFILE\u003e      The output path\n  --namespace \u003cnamespace\u003e  The SPDX namespace\n  -?, -h, --help           Show help and usage information\n```\n\n```bash\ndotnet covenant convert spdx \"C:\\Source\\Foo\\Foo.covenant.json\"\n```\n\n### CycloneDX\n\n```\nUsage:\n  covenant convert cyclonedx \u003cPATH\u003e [options]\n\nArguments:\n  \u003cPATH\u003e  The Covenant SBOM file to convert\n\nOptions:\n  -o, --output \u003cFILE\u003e  The output path\n  -?, -h, --help       Show help and usage information\n```\n\n```bash\ndotnet covenant convert cyclonedx \"C:\\Source\\Foo\\Foo.covenant.json\"\n```\n\n## Creating reports\n\n```\nUsage:\n  covenant report \u003cPATH\u003e [options]\n\nArguments:\n  \u003cPATH\u003e  The Covenant SBOM file to create a HTML report for\n\nOptions:\n  -o, --output \u003cFILE\u003e  The output path of the HTML report\n  -?, -h, --help       Show help and usage information\n```\n\n```bash\ndotnet covenant report \"C:\\Source\\Foo\\Foo.covenant.json\"\n```\n\n## Checking compliance\n\n```\nUsage:\n  covenant check \u003cPATH\u003e [options]\n\nArguments:\n  \u003cPATH\u003e  The Covenant SBOM file to run compliance checks for\n\nOptions:\n  -c, --configuration \u003cFILE\u003e  The Covenant configuration file to use\n  -?, -h, --help              Show help and usage information\n```\n\n```bash\ndotnet covenant check \"C:\\Source\\Foo\\Foo.covenant.json\"\n```\n\nYou can put a file called `covenant.config` next to the SPDX report,\nor providing one via the `--config` parameter, to configure the \ncompliance rules.\n\n```json\n{\n    \"licenses\": {\n        \"banned\": [\n            \"MIT\"\n        ]\n    }\n}\n```\n\n## Building\n\nWe're using [Cake](https://github.com/cake-build/cake) as a \n[dotnet tool](https://docs.microsoft.com/en-us/dotnet/core/tools/global-tools) \nfor building. So make sure that you've restored Cake by running \nthe following in the repository root:\n\n```\n\u003e dotnet tool restore\n```\n\nAfter that, running the build is as easy as writing:\n\n```\n\u003e dotnet cake\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatriksvensson%2Fcovenant","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpatriksvensson%2Fcovenant","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatriksvensson%2Fcovenant/lists"}