Skip to main content

Policy Software Bill of Materials (SBOM)

The Policy SBOM (Software Bill of Materials) is a unique Styra DAS feature which computes the Git commit SHA for each policy package namespace from a System, matching Stacks, and imported Libraries in a policy bundle and adds it to the policy bundle manifest. The Policy SBOM is also available via the bundles API. With the Policy SBOM, users can easily match the exact Git commits in a point in time from one or more policy Git repositories backing Systems, Stacks, and Libraries, providing traceability from policy as code to policy running in production.

tip

Styra recommends using Git-backed Systems, Stacks, and Libraries as well as using Git at the Workspace level. This ensures policies are fully version-controlled and policy changes are traceable. Any resources which are not Git-backed are not included in the Policy SBOM.

Policy SBOM Format and Contents

When Styra DAS builds a System policy bundle, it gathers the policies defined directly in the System, the policies from matching Stacks, and the policies from imported Libraries (both customer-owned Libraries and Styra-built policy libraries for Systems which include a rule library). If the System, any matching Stacks, or any imported customer-owned Libraries are Git-backed resources, Styra DAS will identify the Git repository details and commit SHA associated with the current policy version for that Git-backed resource. This will be mapped to the Git-backed resource's policy package namespace (e.g., systems/a8318943a5814712a69adcb2d9f76970 for a System with id a8318943a5814712a69adcb2d9f76976, libraries/customer_snippets for a customer-owned Library named customer_snippets) and those details will be added to the bundle's Policy SBOM.

Each policy package namespace's SBOM details includes the namespace id, associated policy roots, the Git details (repository URL, reference, path, commit SHA), and the timestamp of the last change to the policies in that namespace. For example, a Library SBOM record (e.g., libraries/customer_snippets from above) may look similar to:

{
"id": "libraries/customer_snippets",
"repo": "https://github.com/UserOrg/example-repo.git",
"ref": "refs/heads/branch-name",
"commit": "14114bf61f8dd72562e17b6b001a4330cd2cce70",
"path": "libraries/customer_snippets",
"timestamp": "2024-07-07T23:27:57.982127714Z",
"roots":
[
"libraries"
]
},

Bundle Manifest SBOM

The Policy SBOM is automatically added to the metadata of each policy bundle's .manifest file, which can be found in the bundle root. The manifest's metadata field will include the STYRA_SBOM object with origins listing the package namespaces with associated Git repository details.

Using the example System and Library from above, the policy bundle manifest may look similar to:

{
"revision": "<revision_string>",
"roots":
[
"dataset",
"groups",
"libraries/customer_snippets",
"library",
"policy",
"rules",
"system/log",
"test"
],
"metadata":
{
"STYRA_SBOM":
{
"origins":
[
{
"id": "libraries/customer_snippets",
"repo": "https://github.com/UserOrg/example-repo.git",
"ref": "refs/heads/branch-name",
"commit": "14114bf61f8dd72562e17b6b001a4330cd2cce70",
"path": "libraries/customer_snippets",
"timestamp": "2024-07-07T23:27:57.982127714Z",
"roots":
[
"libraries"
]
},
{
"id": "systems/a8318943a5814712a69adcb2d9f76970",
"repo": "https://github.com/UserOrg/system-repo.git",
"ref": "refs/heads/main",
"commit": "cm871e4633b0644e10e6f75b0e1ba0aceaff6baz",
"path": "policies",
"timestamp": "2024-07-02T14:11:31.032577344Z",
"roots":
[
"policy",
"rules",
"system",
"test"
]
}
]
}
}
}

Bundles API SBOM

The Policy SBOM is also available via the System bundles API on both the GetSystemBundles and GetSystemBundleDetails operations. For any bundle which includes any Git-backed policies, the response will include the sbom field with origins listing the package namespaces with associated Git repository details.