bifrost CLI
The bifrost CLI is a command-line tool for uploading SBOM (Software Bill of Materials) files to bifrost.
Use it from your workstation, local automation, or CI/CD workflows when you already produce SBOMs as part of your build pipeline.
Prerequisites
Section titled “Prerequisites”Before using the CLI:
- Create an account or sign in to the bifrost portal.
- Create an API token for your organization in the organization settings.
- Install the CLI for your operating system.
Install
Section titled “Install”Homebrew
Section titled “Homebrew”The easiest way to install the CLI on macOS or Linux is with Homebrew:
brew install bifrostsec/tap/bifrost-cliThis installs the bifrost command. The bifrostsec/tap prefix automatically taps the bifrost Homebrew repository, so no separate brew tap step is needed.
To update an existing Homebrew installation:
brew updatebrew upgrade bifrost-cliDownload a release binary
Section titled “Download a release binary”You can also download the latest released executable from the bifrost-cli releases page.
For example, on macOS with Apple Silicon:
curl -L -o bifrost \ https://github.com/bifrostsec/bifrost-cli/releases/latest/download/bifrost-darwin-arm64chmod +x ./bifrostsudo mv ./bifrost /usr/local/bin/bifrostAvailable release binaries include:
bifrost-darwin-amd64bifrost-darwin-arm64bifrost-linux-amd64bifrost-linux-arm64bifrost-windows-386bifrost-windows-amd64
Authentication
Section titled “Authentication”The CLI sends your API token as a bearer token when uploading SBOMs.
Set the token with the BIFROST_API_KEY environment variable:
export BIFROST_API_KEY="<your-api-token>"You can also pass the token with --api-key.
Upload an SBOM for a service and version:
bifrost --service=my-service --service-version=1.2.3 sbom upload ./sbom.jsonYou can upload multiple SBOM files in one command:
bifrost --service=my-service --service-version=1.2.3 sbom upload \ ./sbom-application.cdx.json \ ./sbom-image.cdx.jsonYou can also read an SBOM from standard input by using - as the path:
cat ./sbom.json | bifrost --service=my-service --service-version=1.2.3 sbom upload -Examples
Section titled “Examples”Generate a CycloneDX SBOM for a container image with Trivy and pipe it directly to bifrost:
trivy image --format cyclonedx myapp:1.2.3 \ | bifrost --service=my-service --service-version=1.2.3 sbom upload -Export a repository dependency graph SBOM with the GitHub CLI and pipe the SPDX document to bifrost:
gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2026-03-10" \ /repos/OWNER/REPO/dependency-graph/sbom \ --jq '.sbom' \ | bifrost --service=my-service --service-version=1.2.3 sbom upload -Attach Git metadata to the upload request:
bifrost \ --service=my-service \ --service-version=1.2.3 \ --git-branch=main \ --git-commit-sha=4f5b2d6e8a9c1f0b3d7e6a5c4b2a1908d6e5f4a3 \ --git-origin=https://github.com/example/project.git \ sbom upload ./sbom.json