Quickstart — 5 minutes
Getting Started with embtrace
Prerequisite: An existing Yocto or Buildroot build. embtrace does not build anything itself — it works with the output of your build system.
Installation
Via pip (recommended for development)
pip install embtrace # All optional features pip install "embtrace[all]" # SBOM + S3 storage only pip install "embtrace[sbom,s3]"
Standalone binary (no Python required)
# Linux x86_64 — for CI/CD wget https://embtrace.dev/releases/latest/\ embtrace-linux-x86_64 chmod +x embtrace-linux-x86_64 sudo mv embtrace-linux-x86_64 \ /usr/local/bin/embtrace embtrace --version embtrace 0.1.0
Quickstart — Yocto Example
From Yocto build to CRA compliance status in 4 steps.
1
Initialise project
embtrace automatically detects existing Yocto outputs and generates an embtrace.yaml.
embtrace init \ --source yocto \ --build-dir ./build → Found: build/tmp/deploy/licenses/ (247 recipes) → Found: build/tmp/deploy/spdx/ (SPDX outputs) → embtrace.yaml created
2
Import and merge SBOM
Imports the Yocto SPDX files and produces a unified product SBOM in CycloneDX format.
embtrace sbom import \ --source yocto \ --build-dir ./build embtrace sbom merge \ --output product-sbom.cdx.json → 247 recipes imported → product-sbom.cdx.json (847 components)
3
Run CVE scan
Checks all components against OSV.dev and NVD. Produces a VEX document with the status of each CVE.
embtrace sbom vuln \ --sbom product-sbom.cdx.json \ --output vex.json → 847 components checked → 12 CVEs found: 1 CRITICAL, 3 HIGH, 8 MEDIUM → Triage recommended: embtrace sbom triage → vex.json created
4
Check compliance
Validates the SBOM against BSI TR-03183 mandatory fields and returns a traffic-light status.
embtrace sbom audit \ --sbom product-sbom.cdx.json \ --policy bsi-tr-03183 ✓ SBOM present and valid ✓ 847 components found ✓ 98% have supplier information ✓ 100% have exact version ✓ 100% have SPDX licence ✓ 100% have PURL ⚠ 1 CRITICAL CVE found Overall: YELLOW — 6 warnings Exit code: 2
Integration into CI/CD pipelines
GitLab CI — .gitlab-ci.yml
sbom-compliance: stage: compliance image: python:3.11 script: - pip install "embtrace[sbom]" - embtrace sbom import \ --source yocto \ --build-dir ./build - embtrace sbom merge \ --output sbom.cdx.json - embtrace sbom vuln \ --sbom sbom.cdx.json - embtrace sbom audit \ --policy bsi-tr-03183 artifacts: paths: [sbom.cdx.json, vex.json]
Jenkins — Jenkinsfile
stage('SBOM & Compliance') { steps { sh 'pip install embtrace[sbom]' sh 'embtrace sbom import \ --source yocto \ --build-dir ./build' sh 'embtrace sbom merge \ --output sbom.cdx.json' sh 'embtrace sbom vuln \ --sbom sbom.cdx.json' sh 'embtrace comply audit \ --policy cra' } }
embtrace in your embedded pipeline
🔧
Build System
Yocto / Buildroot
Custom Build System
Custom Build System
Your existing
build system
build system
→
📋
embtrace
SBOM, CVE,
Release, Compliance
Release, Compliance
The missing
layer
layer
→
🚀
OTA / Deploy
Mender / SWUpdate
RAUC
RAUC
Your existing
OTA system
OTA system
Questions about integration?
We are happy to help with integration into your specific Yocto or Buildroot setup.