Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Endor Labs SBOM Export

Documentation

Endor Labs SBOM Export

Project-Agent / library/workflows/endor-sbom-export/README.md

Project-Agent repo-root library/workflows/endor-sbom-export/README.md

Generates a Software Bill of Materials (SBOM) from Endor Labs package data and attaches it to a Jira compliance ticket for audit and regulatory purposes.

Maturity: L3+ (Enforced and up)  ยท  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

Before: ~2 hours per quarter manually compiling package inventories, formatting SBOM documents, and attaching them to compliance tickets.

After: Automated SBOM generation in CycloneDX format with Jira ticket creation and attachment in a single workflow run.

Connectors

| Connector | Operations | Risk | |-----------|-----------|------| | Endor Labs | packages:read, packages:read_versions | LOW | | Jira | issues:create, attachments:upload | MEDIUM | | Slack | chat:write | LOW |

Overall Risk: MEDIUM -- Creates Jira tickets and uploads SBOM attachments. All Endor Labs operations are read-only.

How It Works

  1. Query Endor Labs for all packages in the namespace.
  2. For each package, fetch version details and license information.
  3. Compile data into CycloneDX SBOM format (JSON).
  4. Create a Jira compliance ticket for the current quarter.
  5. Upload the SBOM file as an attachment to the Jira ticket.
  6. Post a Slack notification with the ticket link.

ARX Governance

  • Risk Classification:
  • EndorLabs:packages:read -- LOW -- read-only package inventory query
  • EndorLabs:packages:read_versions -- LOW -- read-only version metadata
  • Jira:issues:create -- MEDIUM -- creates compliance tracking tickets
  • Jira:attachments:upload -- MEDIUM -- uploads SBOM document to ticket
  • Slack:chat:write -- LOW -- informational notifications only
  • HITL Gate: Disabled -- no destructive operations. Jira ticket and attachment creation are auto-approved as they produce audit artifacts only.
  • Policy Rules:
  • PERMITTED: Reading package and version data from Endor Labs
  • PERMITTED (auto-approved): Creating Jira compliance tickets and uploading SBOM attachments
  • PERMITTED: Posting Slack notifications with ticket links
  • DENIED: Any write operations to Endor Labs package data
  • Audit Trail: Every package queried, SBOM generation metadata (package count, format, size), Jira ticket ID, attachment ID, and Slack notification are logged. SBOM content hash is recorded for integrity verification.
  • Config: See arx.yaml for connector permissions, schedule, and SBOM format settings.

Setup

Prerequisites

``bash pip install arx ``

Environment Variables

``bash export ENDOR_NAMESPACE="your-namespace" export ENDOR_API_KEY="your-endor-api-key" export JIRA_URL="https://your-org.atlassian.net" export JIRA_API_TOKEN="your-jira-api-token" export JIRA_PROJECT_KEY="COMPLY" export SLACK_BOT_TOKEN="xoxb-your-slack-token" export SLACK_COMPLIANCE_CHANNEL="#compliance" ``

Run

```bash

One-time execution (on-demand)

arx run workflow.py

Register on schedule (quarterly: Jan, Apr, Jul, Oct 1st at 07:00 UTC)

arx register --config arx.yaml ```

Customization

  • Change SBOM output format (CycloneDX JSON is the default)
  • Adjust the Jira project and ticket template for your compliance process
  • Configure namespace filtering for scoped SBOM generation