scan your third party SBOMs with snyk API

scan-sbom.sh

## Inputs the script will need the SBOM format and the sbom file.Example : ./scan-sbom.sh <name_of_the_sbom_file> CycloneDX.


# Check if the correct number os parameters were provided
if [ $# -ne 2 ]; then
  echo "Usage: $0 SBOM_PATH SBOM_FORMAT"
  exit 1
fi

# First parameter is SBOM path
# Second parameter is the SBOM format
SBOM_PATH=$1
SBOM_FORMAT=$2

# Hardcoded settings right now, please update the ORG ID and TOKEN with your own.
ORG_ID="YOUR ORG-ID"
SNYK_TOKEN="YOUR TOKEN"


# Make cURL request using SBOM content as part of the body
response=$(curl -s -w "\n%{http_code}" --location "https://api.snyk.io/rest/orgs/$ORG_ID/sbom_tests?version=2024-03-12~beta" \
    --header 'Content-Type: application/vnd.api+json' \
    --header 'Accept: application/vnd.api+json' \
    --header "Authorization: token $SNYK_TOKEN" \
    --data-raw '{
        "data": {
            "type": "sbom_test",
            "attributes": {
                "sbom": '"$(cat $SBOM_PATH)"',
                "format":  "'"$SBOM_FORMAT"'"
            }
        }
    }')

http_code=$(echo "$response" | tail -n 1)
response_body=$(echo "$response" | sed '$d')
echo $response_body
echo $http_code

TEST_ID=""

if [ "$http_code" -eq 201 ]; then
  echo "Curl request was successful (HTTP 201)."
  TEST_ID=$(echo $response_body | jq -r .data.id)
  echo "Test id: $TEST_ID"
else
  echo "Curl request failed with HTTP code: $http_code"
  exit 1
fi


# Wait 5 seconds for the test to complete
sleep 5

# Makes a GET request to the test endpoint in order to retrieve the test results
curl --location "https://api.snyk.io/rest/orgs/$ORG_ID/sbom_tests/$TEST_ID/results?version=2024-03-12~beta" \
--header 'Accept: application/vnd.api+json' \
--header "Authorization: token $SNYK_TOKEN"