From c4e311c8caec884303eefc5003c56abbdd12393c Mon Sep 17 00:00:00 2001 From: Hari Om Date: Fri, 8 May 2026 12:41:51 +0530 Subject: [PATCH] docs: update hcp-sbom provisioner documentation to reflect deprecation of scanner_url and scanner_checksum options --- website/content/docs/provisioners/hcp-sbom.mdx | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/website/content/docs/provisioners/hcp-sbom.mdx b/website/content/docs/provisioners/hcp-sbom.mdx index fa2478fc5..f07b68459 100644 --- a/website/content/docs/provisioners/hcp-sbom.mdx +++ b/website/content/docs/provisioners/hcp-sbom.mdx @@ -17,6 +17,10 @@ page_title: hcp-sbom provisioner reference The `hcp-sbom` provisioner uploads software bill of materials (SBOM) files from artifacts built by Packer to HCP Packer. You must format SBOM files you want to upload as JSON and follow either the [SPDX](https://spdx.github.io/spdx-spec/latest) or [CycloneDX](https://cyclonedx.org/) specification. HCP Packer ties these SBOM files to the version of the artifact that Packer builds. +## Deprecation Notice + +~> **Deprecated Configuration Options:** The `scanner_url` and `scanner_checksum` configuration options are deprecated as of Packer v1.15.4 and will be removed in a future major version. The provisioner now uses the Packer binary with embedded Syft SDK for automatic SBOM generation. For custom SBOM generation tools, use manual generation with the `source` field instead of `auto_generate`. + ## Example The following example uploads an SBOM from the local `/tmp` directory and stores a copy at `./sbom/sbom_cyclonedx.json` on the local machine. @@ -47,6 +51,10 @@ provisioner "hcp-sbom" { +## Migrating from Custom Scanner URLs + +Prior to v1.15.4, the `hcp-sbom` provisioner supported downloading custom scanner binaries via `scanner_url`. This is no longer supported as the provisioner now uses the Packer binary with embedded Syft SDK. + ## Configuration reference You can specify the following configuration options.