Releases:
Build:
Social:
ReARM - Supply Chain Security and Asset Management for Releases, SBOMs, xBOMs, Security Artifacts - Community Edition
ReARM.Demo.Video.mp4
ReARM is an abbreviation for "Reliza's Artifact and Release Management". It is a DevSecOps and Supply Chain Security tool to organize product releases with their metadata, including various Bills of Materials (SBOMs / xBOMs).
ReARM maintains xBOM documents per each release. See here how ReARM's SBOM-related features compare with previous generation of tooling.
ReARM stores xBOMs on OCI-compatible storage. ReARM is developed by Reliza. Read about project history on our blog.
- Documentation: https://docs.rearmhq.com
- Video learning and tutorials playlist (wip): https://www.youtube.com/playlist?list=PLPABgZUOtPyXyC9YWJktF-sfu0ewpytGf
- ReARM CLI: https://github.com/relizaio/rearm-cli
- Project ReARM web-site: https://rearmhq.com
- Public Demo: https://demo.rearmhq.com
- Reliza Website: https://reliza.io
- Reliza Versioning: https://github.com/relizaio/versioning
- ReARM itself - Public Beta
- Transparency Exchange API (TEA) implementation - in the process of implementation of TEA Beta 1 - Public Alpha available on ReARM Demo Instance (see below for details)
ReARM is a xBOM management system that allows organizations to maintain compliance within various regulatory frameworks, including:
- European CRA regulations, BSI TR-03183, implied use of xBOMs in NIS2 Directive and DORA
- US executive order 14028
- US OMB Memorandum M-22-18
- US Army Memorandum on SBOMs
- US executive order 14144 (later amended)
- Section 524B of the US FD&C Act and its guidance
- Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) Cybersecurity and Cyber Resilience Framework SBOM requirements with faq
While highlighting regulatory pressure, we strive to make sure that ReARM bears minimum or no overhead on developers and more so provides real value in terms of managing technology releases and their metadata. In other words, our goal is creating a product that would be useful for developers and managers, while also solving the compliance problem.
- Storage and retrieval of SBOMs / xBOMs for software and hardware, per release, including signatures and signing details
- Seamless creation of aggregated BOMs on Component and Product Release levels
- Maintaining representation of organization's products and components with branches and releases
- Automated creation of release versions and changelogs between releases
- Integration with Dependency-Track for analysis of vulnerabilities and policies, including license policy, while optimizing Dependency-Track performance via data deduplication
- Search for presence of dependencies in organization's software based on Dependency-Track data
- Integration with various CI systems (including GitHub Actions, Azure DevOps, Jenkins, GitLab CI and others) to produce BOMs and upload them with other release metadata to ReARM
- Release approval logic with triggers based on approvals and / or vulnerabilities or policy violations (Commercial Edition only)
- Marketing release workflow (Commercial Edition only)
- Release-level changelog for changes in SBOM dependencies
- Better handling and prescribed workflows for Attestations
- Extended options to configure retrieved aggregated BOMs (via tagging and detailed component analysis, i.e., option to exclude Test dependencies)
- Options to exchange BOM data with public or specific people or organizations only (via both Transparency Exchange API and ReARM own capabilities)
ReARM follows Trunk Based Development (TBD) methodology. This means that maintainers commit directly to the main branch where possible. Consumers should use releases marked as SHIPPED (or GENERAL_AVAILABILITY).
Refer to ReARM Community Edition Product on ReARM Demo Instance for the constantly updated list of ReARM releases. SHIPPED releases are also published under GitHub Releases in this repository.
Helm chart and docker compose files tagged to a release contain a list of specific images that correspond to particular release.
Creators of ReARM are part of active contributors of Transparency Exchange API (TEA) that aims to build standard API for exchanging supply chain artifacts and intelligence.
A lot of core ReARM ideas are shared as a part of the TEA workgroup with permissive Open Source licensing.
ReARM currently supports most of TEA Beta 1 functionality and we are working to expand and improve support. Refer to usage and status documentation on ReARM Documentation Website here.
- ReARM CLI: https://github.com/relizaio/rearm-cli - CLI tool to interact with ReARM for humans and automation bots
- BEAR (BOM Enrichment and Augmentation by Reliza): https://github.com/relizaio/bear - BEAR may be used for BOM enrichment before uploading to ReARM
- Reliza Versioning library: https://github.com/relizaio/versioning - Versioning library is used for automated versioning increments, comparisons and change logs handled by ReARM
Public Demo is available at https://demo.rearmhq.com. When you register for the demo, you get read-only account for the Demo organization and can browse several existing demo Components, Products, Releases. You may then also create your own organization and try organizing storage for your own release metadata (Documentation for this coming soon). Note, that while your data on Public Demo is private, it is subject to deletion at any time and without notice.
Refer to the project documentation: https://docs.rearmhq.com
This documentation is built using vitepress and checked in to this repository under documentation_site. If you spot any issues or would like to propose additions, please open issues or Pull Requests accordingly.
OpenAPI Spec can be found here - https://github.com/CycloneDX/transparency-exchange-api/blob/main/spec/openapi.yaml
And then copied into tea-spec/ directory in this repository as well.
To generate initial tea-server spring service, run
npx @openapitools/openapi-generator-cli generate -i tea-spec/openapi.yaml -g spring -o tea-server/ --additional-properties=useSpringBoot3=true
Then rename model files to Tea prefix (from ReARM repo root directory):
./scripts/rename_with_tea.sh ./tea-server/src/main/java/org/openapitools/model- Create a docker container for database:
docker run --name rearm-postgres -d -p 5440:5432 -e POSTGRES_PASSWORD=relizaPass postgres:16
This part will be continued (TODO).
Easiest way to contact us is through our Discord Community - find #rearm channel there and either post in this channel or send a direct message to maintainers.
You can also send us an email to [email protected].