Hello,

I'm currently investigating how I could potentially embed SBOMs in OCI containers made with Nix.
I would like to use this project which seems quite mature, but I wish I could use it through a Nix API, it would make sense to use it through it when building the container.

I have opened an issue at https://discourse.nixos.org/t/generate-sbom-from-oci-container-made-with-nix/39430, and I'm currently able to do what I want, but I wish I could also evaluate the use of this project too.

Thanks for shedding some lights on this!

Thanks, this is a valid reguest. I'll look into this as soon as possible.

Cool looking forward to it !!!

@drupol: Sorry for the delay in response.

Re-visiting the discussion here: https://discourse.nixos.org/t/generate-sbom-from-oci-container-made-with-nix/39430/14
I believe what you are trying to do cannot be done with sbomnix since it uses nix-store internally, and using nix-store
inside nix-build (in runCommand) will not work due to nix build sandbox.

Changing sbomnix so that it could be used during buildtime would require a major refactor.

If you (or anyone else reading this) have ideas how to workaround this limitation we certainly appreciate any suggestions or contributions.

So sad, thanks for the clear explanation.