harness · lavakush07 · Aug 19, 2025 · Aug 18, 2025 · Aug 19, 2025 · Aug 19, 2025
@@ -49,7 +49,7 @@ Artifact Signing step supports both [**container**](/docs/software-supply-chain-
 
 ### Container Images
 
-You can search for **Artifact Signing** and add it to either the **Build** or **Security** stage of a Harness pipeline
+You can search for **Artifact Signing** and add it to either the **Build** , **Deploy**, or **Security** stage of a Harness pipeline
 
 :::note
 

@@ -7,11 +7,13 @@ redirect_from:
 
 - /docs/software-supply-chain-assurance/sbom/ingest-sbom-data
 ---
-import CosignKeyGeneration from '/docs/software-supply-chain-assurance/shared/generate-cosign-key-pair.md';
 
-A [Software Bill of Materials (SBOM)](https://cyclonedx.org/capabilities/sbom/) is a list of all the components, libraries, and other dependencies used in a software application. While Harness SCS enables you to [generate SBOMs](/docs/software-supply-chain-assurance/open-source-management/generate-sbom-for-repositories), it also supports the ingestion of SBOMs in JSON, [SPDX](https://spdx.dev/learn/overview/) or [CycloneDx](https://cyclonedx.org/specification/overview/) formats, generated by any third-party tool.
 
-This document provides a step-by-step guide to configuring the SBOM Orchestration step within SCS to seamlessly ingest SBOMs. To illustrate the process, we'll walk through generating an SBOM using the Trivy CLI in a CI Run step, followed by its ingestion using the SBOM Orchestration step.
+A [Software Bill of Materials (SBOM)](https://cyclonedx.org/capabilities/sbom/) is a list of all the components, libraries, and other dependencies used in a software application. While Harness SCS enables you to [generate SBOMs](/docs/software-supply-chain-assurance/open-source-management/generate-sbom-for-repositories), it also supports the ingestion of SBOMs in JSON, [SPDX](https://spdx.dev/learn/overview/) or [CycloneDX](https://cyclonedx.org/specification/overview/) formats, generated by any third-party tool.
+
+Configure the SBOM Orchestration step in SCS to seamlessly ingest SBOM. In this example, we will generate an SBOM using the Trivy CLI in a CI Run step, and then ingest it using the SBOM Orchestration step.
+
+You can ingest SBOM for both [container](/docs/software-supply-chain-assurance/open-source-management/ingest-sbom-data#container-images) and [non-container](/docs/software-supply-chain-assurance/open-source-management/ingest-sbom-data#non-container-images) images.
 
 <!-- :::info
 
@@ -22,12 +24,6 @@ If you are utilizing STO Steps to generate the SBOM and wish to ingest it, pleas
 
 ::: -->
 
-## Generate the keys for SBOM Attestation - optional
-
-import GenerateKeysPrerequisite from '/docs/software-supply-chain-assurance/shared/generate-consign-keys-prerequisite.md';
-
-<GenerateKeysPrerequisite />
-
 
 ## Configure your pipeline to ingest SBOM
 1. In your Harness pipeline, Navigate to the stage where you want to ingest the SBOM, and select the **Overview** tab.
@@ -55,28 +51,69 @@ import GenerateKeysPrerequisite from '/docs/software-supply-chain-assurance/shar
    ::: -->
 
 4. If your SBOM tool can't output directly to your **Shared Path**, then add commands or a **Run** step to copy the SBOM into the directory specified in **Shared Paths**.
-5. Add an [SBOM Orchestration step](/docs/software-supply-chain-assurance/open-source-management/generate-sbom-for-repositories) configured to ingest the SBOM:
 
 :::info
 **SBOM Orchestration** step in deploy stage can only be used in the [Containerized Step Groups](/docs/continuous-delivery/x-platform-cd-features/cd-steps/containerized-steps/containerized-step-groups.md)
 :::
 
+
+### Container Images
+
+Follow the instructions below to ingest the SBOM for container images:
+
    * **Step Mode:** Set the step mode to **Ingestion**.
    * **SBOM File Path:** enter the path to the SBOM file generated by your SBOM tool.
    * **Source:** Set the source, which can be Docker Registry, ECR, GCR, ACR or Repository. Depending on your selection, a unique set of fields will appear, each specific to the source you've chosen. Address these fields as required, this is similar to configuring the source in SBOM Orchestration step. For more details of what each field entails, please refer to the [documentation on SBOM Orchestration](/docs/software-supply-chain-assurance/open-source-management/generate-sbom-for-repositories). If you are using Docker Registry, you can follow along.
    * **Image:** Enter the name of your image with tag or digest, such as `my-docker-org/repo-name:tag` or `my-docker-org/repo-name@sha256:digest` .
-   <details>
-      <summary>Generate key pairs using Cosign for SBOM Attestation</summary>
 
-      <CosignKeyGeneration />
+   You can securely sign the artifacts using **Cosign** or **Cosign with Secret Manager**
+
+import GenerateKeysPrerequisite from '/docs/software-supply-chain-assurance/shared/generate-cosign-artifact.md';
+
+<GenerateKeysPrerequisite />
+
+
+   <DocImage path={require('./static/sbom-ingestion-step.png')} width="50%" height="50%" />
+
+
+### Non-Container Images:
 
-   </details>
+Artifacts aren’t limited to container images. With the SBOM Orchestration step, you can also ingest SBOMs for non-container artifacts, with each artifact uniquely identified by its digest (SHA).
+
+The following are the non-container artifact types are supported:
+
+- Helm (`.tgz`)
+- YAML manifest (`.yaml`, `.yml`)
+- Jar (`.jar`)
+- War (`.war`)
+- Artifacts that are not listed above will be considered as `Unknown` type.
+
+
+Follow the instructions below to ingest the SBOM for non-container images:
+
+**Name:** Provide a name for the sbom step.
+
+**SBOM File Path:** Enter the path to the SBOM file generated by the SBOM tool.
+
+**Artifact Source:** Select the Harness Local Stage as the source of the artifact.
+
+**Workspace Artifact Path:** Provide the exact path to the artifact within the workspace. Ensure that you run a custom step to pull the artifact into the workspace directory.
+
+**Target Detection:** Choose between Auto and Manual.
+
+**Auto (default):** Automatically sets the artifact name from the provided path.
+
+**Manual:** Allows you to manually specify the artifact name and version.
+
+:::note
+
+SBOM ingestion for non-container artifacts does not currently support attestation, and the SBOM policy enforcement step.
+
+:::
 
-   * **Private Key (optional):** Input your Private key from the [Harness file secret](/docs/platform/secrets/add-file-secrets).
 
-   * **Password (optional):** Input your Password for the Private key from the [Harness file secret](/docs/platform/secrets/add-file-secrets).
+<DocImage path={require('./static/sbom-non-container.png')} width="50%" height="50%" />
 
-   <DocImage path={require('./static/ingesting-sbom-from-other-scanners-02.png')} width="50%" height="50%" />
 
 ## Run the pipeline
-Original file line number
+Diff line change
@@ Expand Up @@
     ### Container Images
-    You can search for **Artifact Signing** and add it to either the **Build** or **Security** stage of a Harness pipeline
+    You can search for **Artifact Signing** and add it to either the **Build** , **Deploy**, or **Security** stage of a Harness pipeline
     :::note
@@ Expand Down @@