Docker SBOM

Couple of months ago, Docker announced an experimental command called docker sbom which will display the packaging list of an image. In this blog article, we will dive into sbom, docker sbom and more.

What is SBOM?

A Software Bill of Materials (SBOM)…

Couple of months ago, Docker announced an experimental command called docker sbom which will display the packaging list of an image. In this blog article, we will dive into sbom, docker sbom and more.

What is SBOM?

A Software Bill of Materials (SBOM) is a term you often hear or read when it comes to software supply chain. An SBOM holds metadata about the software package, content, license information, copyright, and more.Think of it as an inventory or list of ingredients in a package.

Sample Label for Frozen LasagnaSample Label for Frozen Lasagna

SBOM brings transparency and security in the software supply chain.

Docker SBOM

Docker SBOM is an experimental feature which is available in Docker. Launch the terminal and issue docker sbom <image>:<tag>. By default, the output will be in table format as shown below.

Docker SBOMDocker SBOM

To print the SBOM in CycloneDX and SPDX format, issue the below commands respectively.

# SPDX JSON
docker sbom --format spdx-json qainsights/jpetstore:latest

# CycloneDX JSON
docker sbom --format cyclonedx-json qainsights/jpetstore:latest

To save the output to a file, issue the below command :

docker sbom --format spdx-json --output sbom.json qainsights/jpetstore

How it works?

To generate the SBOM, docker needs to scan the image. It uses Syft to perform scanning as of now. The process may change in the future.

Syft is a Go based CLI tool to generate SBOM.

syft qainsights/jpetstore

Install as a Plugin

To install SBOM as a plugin, issue the below command which will install the docker-sbom:

curl -sSfL https://raw.githubusercontent.com/docker/sbom-cli-plugin/main/install.sh | sh -s --

Final Thoughts

Docker SBOM is still in its early phase. But if you are into containerization or DevOps tasks, docker sbom helps you to generate the package contents, dependencies, and more using a single command.


Print Share Comment Cite Upload Translate
APA
NaveenKumar Namachivayam ⚡ | Sciencx (2024-03-29T10:00:51+00:00) » Docker SBOM. Retrieved from https://www.scien.cx/2022/07/11/docker-sbom/.
MLA
" » Docker SBOM." NaveenKumar Namachivayam ⚡ | Sciencx - Monday July 11, 2022, https://www.scien.cx/2022/07/11/docker-sbom/
HARVARD
NaveenKumar Namachivayam ⚡ | Sciencx Monday July 11, 2022 » Docker SBOM., viewed 2024-03-29T10:00:51+00:00,<https://www.scien.cx/2022/07/11/docker-sbom/>
VANCOUVER
NaveenKumar Namachivayam ⚡ | Sciencx - » Docker SBOM. [Internet]. [Accessed 2024-03-29T10:00:51+00:00]. Available from: https://www.scien.cx/2022/07/11/docker-sbom/
CHICAGO
" » Docker SBOM." NaveenKumar Namachivayam ⚡ | Sciencx - Accessed 2024-03-29T10:00:51+00:00. https://www.scien.cx/2022/07/11/docker-sbom/
IEEE
" » Docker SBOM." NaveenKumar Namachivayam ⚡ | Sciencx [Online]. Available: https://www.scien.cx/2022/07/11/docker-sbom/. [Accessed: 2024-03-29T10:00:51+00:00]
rf:citation
» Docker SBOM | NaveenKumar Namachivayam ⚡ | Sciencx | https://www.scien.cx/2022/07/11/docker-sbom/ | 2024-03-29T10:00:51+00:00
https://github.com/addpipe/simple-recorderjs-demo