# Easily generate SBOMs for every build with Depot (https://depot.dev/blog/build-with-sboms)
> By Kyle Galbraith (CEO & Co-founder of Depot)
> Published 2023-10-17
We are excited to introduce our new Attestations feature, which allows you to generate a Software Bill of Materials (SBOM) for every build and easily download it from your build detail view.
This is the second announcement for Drop Week #02 — stay tuned for more
## Generating an SBOM with Depot
We've added the ability to generate a Software Bill of Material (SBOM) for any `depot build` or `depot bake` command via our [`depot` CLI](/docs/cli/installation). Add the `-sbom=true` flag to your build command to generate one for your build.
```shell
depot build --sbom=true .
depot bake --sbom=true -f docker-bake.hcl
```
We've also made accessing the SBOMs generated by your build easier. You can specify a directory to write the SBOM(s) to with the `--sbom-dir` parameter.
```shell
depot build --sbom=true --sbom-dir=sboms .
depot bake --sbom=true --sbom-dir=sboms -f docker-bake.hcl
```
You can also access the all SBOMs generated by your build in the new Attestations view as part of our new [build insights](/blog/build-insights), where you can download them anytime.
Here, we see that this build was executed via a `depot bake` command and therefore, we have six SBOMs, one for each target and platform architecture:
[
](/images/drop-week-02/attestations-section.png)
SBOMs are generated with [Syft](https://github.com/anchore/syft), which supports a [wide variety of ecosystems](https://github.com/anchore/syft#supported-ecosystems), and are saved in the industry-standard SPDX format. You can learn more about the SPDX format [here](https://spdx.dev/).
## Generating SBOMs and uploading them to GitHub
Our [`depot/build-push-action`](https://github.com/depot/build-push-action) and [`depot/bake-action`](https://github.com/depot/bake-action) GitHub Actions also support this new SBOM functionality.
With either of our actions, you can specify the `sbom` parameter to generate a Software Bill of Materials during the build and the `sbom-dir` parameter to output the generated SBOMs to a specified directory.
From there, you can upload the SBOMs as artifacts via [`actions/upload-artifact`](https://github.com/actions/upload-artifact), or you can also submit them to GitHub's dependency submission API via [`advanced-security/spdx-dependency-submission-action`](https://github.com/advanced-security/spdx-dependency-submission-action). This allows you to receive Dependabot alerts for vulnerabilities in the contents of the built image itself!
```yaml
jobs:
docker-image-sbom:
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Set up Depot CLI
uses: depot/setup-action@v1
- name: Build an image with Software Bill of Materials (SBOM)
uses: depot/build-push-action@v1
with:
sbom: true
sbom-dir: ./sbom-output
- name: upload SBOM directory as a build artifact
uses: actions/upload-artifact@v3.1.0
with:
path: ./sbom-output
name: 'SBOM'
- name: upload spdx dependency
uses: advanced-security/spdx-dependency-submission-action@v0.0.1
with:
filePath: ./sbom-output/
```
**Note:** When you upload an SBOM to GitHub's dependency submission API, it will be uploaded as a dependency manifest. So, you will receive Dependabot alerts for the packages included in the SBOM.
## Generate an SBOM today
We're excited about incorporating SBOMs and future attestations into Depot, especially considering their growing importance in supply-chain security.
We'd love to hear your feedback and ideas on how we can make this even better. You can head to our [Discord Community](https://discord.gg/MMPqYSgDCg) and let us know your thoughts.
If you're new to Depot, you can [sign up for free](https://depot.dev/start) and get up to 40x faster Docker builds in just a few minutes.
## For AI Agents
The full site index is at [llms.txt](https://depot.dev/llms.txt). Append `.md` to any documentation, blog, changelog, or customer URL to fetch its markdown source directly.