Robot Users

Not all accounts are necessarily associated with human users. BOMnipotent is built with pipeline integration in mind. To create an account to be used in automation, add the ‘robot’ option to the request:

Input (long variant)

bomnipotent_client user request example_robot --robot

Input (short variant)

bomnipotent_client user request example_robot -r

Output

[INFO] Generating new key pair.
[INFO] Storing secret key to '/root/.config/bomnipotent/secret_key.pem' and public key to '/root/.config/bomnipotent/public_key.pem'.
[INFO] All requests are unauthenticated: No username was provided for signing request.
[INFO] Request for robot user 'example_robot' submitted. It now needs to be confirmed by a user manager.

This request will mark the account as a robot, and not send a verification mail. To approve such an account, you have to provide the ‘robot’ option.

Input (long variant)

bomnipotent_client user approve example_robot --robot

Input (short variant)

bomnipotent_client user approve example_robot -r

Output

[INFO] Changed status of example_robot to APPROVED.

Note

Since robot users are not verified, and typically have elevated permissions, you should be absolutely certain that this is the account you want to approve.

In ordner not to have to fish the generated keys from the somewhat hidden user folder, you can specify a desired path to store them:

Input (long variant) (available since version 1.1.0)

bomnipotent_client user request ci_cd_robot --robot /home/ci_cd_robot

Input (short variant)

bomnipotent_client user request ci_cd_robot -r /home/ci_cd_robot

Output

[INFO] Generating new key pair.
[INFO] Storing secret key to '/home/ci_cd_robot_secret_key.pem' and public key to '/home/ci_cd_robot_public_key.pem'.
[INFO] All requests are unauthenticated: No username was provided for signing request.
[INFO] Request for robot user 'ci_cd_robot' submitted. It now needs to be confirmed by a user manager.

Now the robot requires permissions to upload BOMs, update vulnerabilities and to read but not modify CSAF documents Beginning with version 1.4.0, a convenience role “robot” grants these permissions:

Input (available since version 1.4.0)

bomnipotent_client user-role add example_robot robot

Output

[INFO] Added role to user.

Note that this role grants read access to the CSAF documents of all products:

Input (long variant) (available since version 1.4.0)

bomnipotent_client role-permission list --role=robot

Input (short variant)

bomnipotent_client role-permission list -r robot

Output

[INFO] 
╭───────┬───────────────────┬─────────────────────────╮
│ Role  │ Permission        │ Last Updated            │
├───────┼───────────────────┼─────────────────────────┤
│ robot │ BOM_MANAGEMENT    │ 2025-01-01 10:11:12 UTC │
│ robot │ PRODUCT_ACCESS(*) │ 2025-01-01 10:11:12 UTC │
│ robot │ VULN_MANAGEMENT   │ 2025-01-01 10:11:12 UTC │
╰───────┴───────────────────┴─────────────────────────╯

You can of course change these permissions as you please.

Now you can use your robot’s credentials in your CI/CD pipeline.