By default an SBOM embeds a generation timestamp and a fresh serial number, so two runs over identical source produce different files. --reproducible makes the output deterministic.
lynkctl generate . --reproducible -o sbom.cdx.jsonWith --reproducible, lynkctl uses a fixed timestamp, a content-derived serial number, and sorted collections. Running it twice over the same source produces a byte-identical SBOM. This makes the output suitable for content-addressable storage and for diffing one build against the next.
--reproducible still records a timestamp; it just makes it deterministic instead of "now". Set it explicitly with --timestamp, which takes an RFC-3339 value and is only valid alongside --reproducible:
lynkctl generate . --reproducible --timestamp 2023-11-14T22:13:20Z -o sbom.cdx.jsonWhen --timestamp is omitted, lynkctl falls back to the SOURCE_DATE_EPOCH environment variable — the same convention used by reproducible-build toolchains:
SOURCE_DATE_EPOCH=1700000000 lynkctl generate . --reproducible -o sbom.cdx.jsonScenario
Use --reproducible?
Content-addressable artifact storage
Yes
Diffing SBOMs across builds to spot real changes
Yes
Verifying a build is bit-for-bit reproducible
Yes
Routine SBOM generation where the real wall-clock time matters
No
Last updated