/
How to find SBOM manifests in Harbor

How to find SBOM manifests in Harbor

Harbor makes it very hard to find SBOM manifests for images that have multiple artefacts (i.e. are built for multiple platforms or have attached provenance files). This is how to find these manifests.

If you prefer video instructions, they’re at the bottom of this page.

 Instructions

  1. Go the Harbor project containing your image.

    image-20260130-124314.png

  2. Find the relevant image tag.

    image-20260130-124334.png

  3. If automatic SBOM generation on push isn’t enabled, click the checkbox to the left of the tag(s) you need to generate them for. Click the “generate SBOM” button. It’ll look like nothing has happened.

    image-20260130-124447.png
    image-20260130-124510.png
    image-20260130-124534.png

  4. Click on the folder icon next to the “sha256:blah” for the tag you’re interested in.

    image-20260130-124650.png

  5. At least one of the artefacts in this list will have entries in the “SBOM” column. Artefacts with “unknown/unknown” in the OS/Arch column won’t have SBOM’s, this is normal and expected. Click on the “SBOM details” next to the relevant artefact.

    image-20260130-124910.png

  6. Scroll down the page that opens. At the bottom you will see the SBOM as a list and also a button to download the SBOM for the associated artefact.

    image-20260130-124934.png
    image-20260130-125018.png

Video Guide

harbor-sbom-guide.mov

 Related articles