
Docker SBOM
- 3 minsThe Complete Guide to Generating Docker SBOMs for Container Security
Software supply chain security has become a critical focus for DevOps teams. One of the most powerful tools for transparency and security is the SBOM (Software Bill of Materials). This guide will walk you through what SBOMs are, why they matter, and how to generate and use them with Docker.
What Is an SBOM?
An SBOM (Software Bill of Materials) is a detailed inventory of all the components, packages, and libraries inside a piece of software (e.g., a container image).
Think of it as a “recipe list” for your container image.
Why it matters:
- Visibility into dependencies
- Faster vulnerability detection
- Compliance with standards (NIST, FedRAMP, etc.)
- Improved incident response
Why Use SBOMs in Containers?
- Security – Detect vulnerable packages before shipping images.
- Compliance – Regulations increasingly require SBOMs.
- Transparency – Clear understanding of your software supply chain.
- Auditability – Simplify investigations during incidents.
Docker’s Native SBOM Support
Starting with Docker 20.10.24+, Docker CLI includes an sbom
subcommand.
It’s powered by Syft under the hood.
Check your version:
docker --version
If ≥20.10.24, you’re good to go.
If You do not have Docker SBOM Plug-in you can install manually
#Install Docker SBOM
curl -sSfL https://raw.githubusercontent.com/docker/sbom-cli-plugin/main/install.sh | sh -s --
#Verify Docker SBOM
docker sbom --version
Generating an SBOM
Example 1: NGINX Official Image
docker sbom nginx:latest
This outputs all packages inside the nginx:latest container.
Example 2: Node.js Application
Step 1 – Dockerfile
# simple Node.js app
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install --production
COPY . .
CMD ["node", "index.js"]
Step 2 – Build Image
docker build -t my-node-app .
Step 3 – Generate SBOM
docker sbom my-node-app
Exporting SBOMs
By default, Docker outputs SBOMs in SPDX JSON format. You can save it:
docker sbom nginx:latest --format spdx-json > sbom.json
Alternative format (CycloneDX):
docker sbom nginx:latest --format cyclonedx-json > sbom.cdx.json
Integrating SBOMs into CI/CD
name: Build and SBOM
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Docker image
run: docker build -t my-node-app .
- name: Generate SBOM
run: docker sbom my-node-app --format spdx-json > sbom.json
- name: Upload SBOM
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.json
Scanning SBOMs for Vulnerabilities
SBOMs alone aren’t enough — you must scan them.
Using Grype Grype
# Scan directly from image
grype my-node-app
# Or scan from SBOM file
grype sbom:sbom.json
This identifies CVEs linked to your packages.
Storing SBOMs
Best practices: Store SBOMs in artifact registries (ECR, Harbor, JFrog). Tag SBOMs with image hashes (sha256) for immutability. Keep them versioned alongside container images.
Best Practices
Start small: generate SBOMs early in your pipeline. Automate SBOM creation in CI/CD. Always scan SBOMs with tools like Grype. Store SBOMs securely (artifact repos, Git). Consider signing SBOMs for integrity validation.
Conclusion
SBOMs bring visibility, compliance, and security to your containers. With Docker’s built-in SBOM support, it’s easier than ever to adopt.
Thanks for reading!
—
Guneycan Sanli