Software packages often require a fully realized SBOM (software bill of materials) to meet regulatory requirements. Providing a complete inventory of all components, libraries, and dependencies used in both the build and runtime environments is essential for vulnerability management and license compliance.
Generating these manually is complex and time-consuming. Packaging
with Nix reduces this overhead by
allowing you to step through a derivation’s entire dependency graph,
capturing metadata for each component. Tools like nixpkgs#sbomnix
can then automate SBOM generation and visualization based on that
graph.
Using the passthru
attribute of a Nix derivation, it is possible to bundle scripts for
these tools alongside the package itself:
{ pkgs ? import <nixpkgs> {} }:
let
pkg = pkgs.hello.overrideAttrs (_: {
passthru.sbomnix = pkgs.writeShellScriptBin "sbomnix" ''
${pkgs.sbomnix}/bin/sbomnix ${pkg.out} "$@"
'';
});
in
pkgNix itself is never a guarantee of software security or known bill-of-materials completeness. It is, however, a tool for packagers to leverage in order to construct confidence in software security and supply-chain integrity.