Docker SBOM

Docker SBOM

- 3 mins

The Complete Guide to Generating Docker SBOMs for Container Security

Software supply chain security has become a critical focus for DevOps teams. One of the most powerful tools for transparency and security is the SBOM (Software Bill of Materials). This guide will walk you through what SBOMs are, why they matter, and how to generate and use them with Docker.


What Is an SBOM?

An SBOM (Software Bill of Materials) is a detailed inventory of all the components, packages, and libraries inside a piece of software (e.g., a container image).

Think of it as a “recipe list” for your container image.

Why it matters:


Why Use SBOMs in Containers?

  1. Security – Detect vulnerable packages before shipping images.
  2. Compliance – Regulations increasingly require SBOMs.
  3. Transparency – Clear understanding of your software supply chain.
  4. Auditability – Simplify investigations during incidents.

Docker’s Native SBOM Support

Starting with Docker 20.10.24+, Docker CLI includes an sbom subcommand.
It’s powered by Syft under the hood.

Check your version:

docker --version

If ≥20.10.24, you’re good to go.

If You do not have Docker SBOM Plug-in you can install manually

#Install Docker SBOM
curl -sSfL https://raw.githubusercontent.com/docker/sbom-cli-plugin/main/install.sh | sh -s --

#Verify Docker SBOM
docker sbom --version

sbom

sbom

Generating an SBOM

Example 1: NGINX Official Image

docker sbom nginx:latest

This outputs all packages inside the nginx:latest container.

sbom

Example 2: Node.js Application

Step 1 – Dockerfile

# simple Node.js app
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install --production
COPY . .
CMD ["node", "index.js"]

Step 2 – Build Image

docker build -t my-node-app .

Step 3 – Generate SBOM

docker sbom my-node-app

Exporting SBOMs

By default, Docker outputs SBOMs in SPDX JSON format. You can save it:

docker sbom nginx:latest --format spdx-json > sbom.json

sbom

Alternative format (CycloneDX):

docker sbom nginx:latest --format cyclonedx-json > sbom.cdx.json

sbom

Integrating SBOMs into CI/CD

name: Build and SBOM
on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Build Docker image
        run: docker build -t my-node-app .
      - name: Generate SBOM
        run: docker sbom my-node-app --format spdx-json > sbom.json
      - name: Upload SBOM
        uses: actions/upload-artifact@v3
        with:
          name: sbom
          path: sbom.json

Scanning SBOMs for Vulnerabilities

SBOMs alone aren’t enough — you must scan them.

Using Grype Grype

# Scan directly from image
grype my-node-app

# Or scan from SBOM file
grype sbom:sbom.json

sbom

sbom

This identifies CVEs linked to your packages.

Storing SBOMs

Best practices: Store SBOMs in artifact registries (ECR, Harbor, JFrog). Tag SBOMs with image hashes (sha256) for immutability. Keep them versioned alongside container images.

Best Practices

Start small: generate SBOMs early in your pipeline. Automate SBOM creation in CI/CD. Always scan SBOMs with tools like Grype. Store SBOMs securely (artifact repos, Git). Consider signing SBOMs for integrity validation.

Conclusion

SBOMs bring visibility, compliance, and security to your containers. With Docker’s built-in SBOM support, it’s easier than ever to adopt.


Thanks for reading!

Guneycan Sanli

Guneycan Sanli

Guneycan Sanli

A person who like learning, music, travelling and sports.

comments powered by Disqus