A tool for generating a Software Bill of Materials (SBOM) from a Docker image using Syft and uploading it to Codacy:
| Tool | Use case |
|---|---|
sbom_to_codacy.py |
Local script — works with any public Docker image, interactive prompts |
Docker Hub / public registry
│
▼
docker pull
│
▼
Syft ──CycloneDX JSON──► Codacy API
- Checks that
dockeris installed and the daemon is running. - Checks that
syftis installed — offers to install it automatically if not. - Prompts for the image name and Codacy credentials (saved to
~/.config/sbom-codacy/config.jsonafter first run). - Pulls the image, generates a CycloneDX JSON SBOM across all layers, and uploads it to Codacy.
- Docker Desktop running locally — install
- Python 3.9+ — no third-party packages needed (stdlib only)
- syft — the script will offer to install it for you on first run
- A Codacy API token — generate one under Your account > Access management > API tokens
- The target repository must already be added to your Codacy organization
python3 sbom_to_codacy.pyOn first run you will be prompted for:
| Prompt | Example |
|---|---|
| Docker image | nginx:latest, python:3.12-slim, alpine:3.19 |
| Codacy API token | (hidden input) |
| Git provider | gh (GitHub) / gl (GitLab) / bb (Bitbucket) |
| Codacy organization | my-org |
| Codacy repository | my-service |
Codacy settings are saved to ~/.config/sbom-codacy/config.json (mode 0600) after the first run so only the image is prompted on subsequent runs.
docker pull fails
Confirm the image name is correct and publicly accessible. Try docker pull <image> in your terminal first.
syft install fails Install it manually — syft installation docs. Then re-run the script.
HTTP 401 from Codacy
The API token is wrong or expired. Generate a new one in Codacy and delete ~/.config/sbom-codacy/config.json to reset saved credentials.
HTTP 404 from Codacy
The provider, organization, or repository name doesn't match what Codacy has on record. Check the URL https://app.codacy.com/{provider}/{org}/{repo} in your browser.
HTTP 422 from Codacy
The SBOM payload was rejected. This can happen if the image has no detectable packages (e.g., a bare scratch image).