Skip to content

bifrost CLI

The bifrost CLI is a command-line tool for uploading SBOM (Software Bill of Materials) files to bifrost.

Use it from your workstation, local automation, or CI/CD workflows when you already produce SBOMs as part of your build pipeline.

Before using the CLI:

  1. Create an account or sign in to the bifrost portal.
  2. Create an API token for your organization in the organization settings.
  3. Install the CLI for your operating system.

The easiest way to install the CLI on macOS or Linux is with Homebrew:

Terminal window
brew install bifrostsec/tap/bifrost-cli

This installs the bifrost command. The bifrostsec/tap prefix automatically taps the bifrost Homebrew repository, so no separate brew tap step is needed.

To update an existing Homebrew installation:

Terminal window
brew update
brew upgrade bifrost-cli

You can also download the latest released executable from the bifrost-cli releases page.

For example, on macOS with Apple Silicon:

Terminal window
curl -L -o bifrost \
https://github.com/bifrostsec/bifrost-cli/releases/latest/download/bifrost-darwin-arm64
chmod +x ./bifrost
sudo mv ./bifrost /usr/local/bin/bifrost

Available release binaries include:

  • bifrost-darwin-amd64
  • bifrost-darwin-arm64
  • bifrost-linux-amd64
  • bifrost-linux-arm64
  • bifrost-windows-386
  • bifrost-windows-amd64

The CLI sends your API token as a bearer token when uploading SBOMs.

Set the token with the BIFROST_API_KEY environment variable:

Terminal window
export BIFROST_API_KEY="<your-api-token>"

You can also pass the token with --api-key.

Upload an SBOM for a service and version:

Terminal window
bifrost --service=my-service --service-version=1.2.3 sbom upload ./sbom.json

You can upload multiple SBOM files in one command:

Terminal window
bifrost --service=my-service --service-version=1.2.3 sbom upload \
./sbom-application.cdx.json \
./sbom-image.cdx.json

You can also read an SBOM from standard input by using - as the path:

Terminal window
cat ./sbom.json | bifrost --service=my-service --service-version=1.2.3 sbom upload -

Generate a CycloneDX SBOM for a container image with Trivy and pipe it directly to bifrost:

Terminal window
trivy image --format cyclonedx myapp:1.2.3 \
| bifrost --service=my-service --service-version=1.2.3 sbom upload -

Export a repository dependency graph SBOM with the GitHub CLI and pipe the SPDX document to bifrost:

Terminal window
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2026-03-10" \
/repos/OWNER/REPO/dependency-graph/sbom \
--jq '.sbom' \
| bifrost --service=my-service --service-version=1.2.3 sbom upload -

Attach Git metadata to the upload request:

Terminal window
bifrost \
--service=my-service \
--service-version=1.2.3 \
--git-branch=main \
--git-commit-sha=4f5b2d6e8a9c1f0b3d7e6a5c4b2a1908d6e5f4a3 \
--git-origin=https://github.com/example/project.git \
sbom upload ./sbom.json