Linux quick start: C/C++ SBOM generation (Debian)
This page is the shortest path from a clean Debian or Ubuntu machine to a CycloneDX SBOM for a C or C++ build. For every option, environment variable, and command in depth, see C/C++ SBOM Generation.
Before you start
You need a license key from the RunSafe Platform: open your organization, then Settings → License Key.
You also need a normal C/C++ toolchain and curl installed (for example sudo apt install build-essential curl on Debian).
The process in four steps
1. Install RunSafe SBOM
Add the RunSafe package repository and install the package:
curl -1sLf \
'https://packages.runsafesecurity.com/public/runsafe/setup.deb.sh' \
| sudo -E bash
sudo apt install runsafe-sbom
2. Log in and start the SBOM service
Use the license key from the platform:
runsafe_sbom login -l <your_license_key>
runsafe_sbom service start
Check that the service is up:
runsafe_sbom service status
3. Run your build through runsafe_sbom
Prefix your usual build command with runsafe_sbom --. The wrapper records what the compiler and linker touch so the SBOM can be generated afterward.
Single-file example:
runsafe_sbom -- gcc hello.c -o hello
Typical project with Make:
runsafe_sbom -- make -j"$(nproc)"
Use the same pattern for CMake, Meson, or other build systems: put the command that performs the compile/link after runsafe_sbom --.
4. Write the CycloneDX SBOM file
runsafe_sbom generate --output-file=my-project.cdx.json
You now have a CycloneDX SBOM at my-project.cdx.json.
Copy-paste mini example
From an empty directory, you can sanity-check the flow end to end:
mkdir hello && cd hello
cat <<'EOF' > hello.c
#include <stdio.h>
int main(void) {
printf("Hello\n");
return 0;
}
EOF
runsafe_sbom -- gcc hello.c -o hello
runsafe_sbom generate --output-file=hello.cdx.json
Open hello.cdx.json to confirm the SBOM was created.
Next steps
- CI/CD, upgrades, offline licenses, and troubleshooting: C/C++ SBOM Generation