How to Use “docker sbom” to Index Your Docker Image’s Packages


Docker logo

Software program provide chain safety has turn into topical within the wake of excessive profile dependency-based assaults. Producing an SBOM on your software program artifacts may help you determine weaknesses and trim down the variety of packages you depend on.

A brand new Docker function integrates assist for SBOM technology into the docker CLI. This allows you to produce an SBOM alongside your construct, then distribute it to customers of your picture.

The “docker sbom” Command

The brand new docker sbom command is bundled with Docker Desktop variations 4.7.0 and later. You possibly can add the command to a Docker Engine set up on Linux by putting in the docker-sbom plugin from GitHub:

$ curl -sSfL | sh -s --

Verify the set up succeeded by working the command:

$ docker sbom

Utilization:  docker sbom [OPTIONS] COMMAND

View the packaged-based Software program Invoice Of Supplies (SBOM) for a picture.

Now you may generate the SBOM for a Docker picture by passing its tag to the command:

$ docker sbom nginx:newest
Syft v0.43.0
 ✔ Pulled picture            
 ✔ Loaded picture            
 ✔ Parsed picture            
 ✔ Cataloged packages      [143 packages]
NAME                       VERSION                         TYPE         
adduser                    3.118                           deb           
apt                        2.2.4                           deb           
base-files                 11.1+deb11u3                    deb           
base-passwd                3.5.51                          deb           
bash                       5.1-2+b3                        deb           
bsdutils                   1:2.36.1-8+deb11u1              deb   

The CLI will pull the required picture if it doesn’t exist already in your system. The picture’s content material is then listed and a package deal listing displayed in your terminal.

Underneath the hood, Docker makes use of the favored Syft SBOM generator to scan and index the picture. The energetic Syft model is proven every time you utilize the command. Its output matches what a standalone Syft set up would produce.

Syft is able to figuring out working system packages and programming language dependencies. The kind of every detected package deal is displayed within the command’s output, subsequent to its identify and exact model. You should use this data to precisely audit your container pictures and uncover software program they depend on. When a significant vulnerability is reported, you may seek the advice of the picture’s SBOM to rapidly verify whether or not you’re affected.

Customizing Output

Output is displayed as a human-readable desk by default. That is splendid for distribution alongside your picture or as a part of your documentation.

You possibly can strip out the traces containing the Syft model and progress report by including the --quiet flag. Use --output to put in writing the report right into a file, as a substitute of your terminal window. Combining these two choices allows you to simply save the package deal listing knowledge.

$ docker sbom --output sbom.txt --quiet nginx:newest

A number of various output codecs can be found through the --format flag. The textual content variant is one other human-readable possibility utilizing a row-based format:

$ docker sbom --format textual content --quiet nginx:newest
 Layer:      0
 Digest:     sha256:9c1b6dd6c1e6be9fdd2b1987783824670d3b0dd7ae8ad6f57dc3cea5739ac71e
 Dimension:       80400891
 MediaType:  utility/vnd.docker.picture.rootfs.diff.tar.gzip


 Model:    3.118
 Sort:       deb
 Discovered by:   dpkgdb-cataloger

 Model:    2.2.4
 Sort:       deb
 Discovered by:   dpkgdb-cataloger

The [Image] part enumerates the main points of all of the layers throughout the scanned picture. The next sections listing the detected packages, offering their sort and model as nested properties.

A number of different codecs are supported too, every of which may be activated utilizing the --format flag. These are higher selections once you need to eat SBOM knowledge programmatically utilizing third-party instruments.

  • syft-json – Output a report in Syft’s native JSON format.
  • cyclonedx-xml/cyclonedx-json – Produce a CycloneDX standards-compatible report as XML or JSON. This SBOM commonplace is led by OWASP.
  • github-0-json – A GitHub-compatible report format.
  • spdx-tag-value/spdx-json – Suitable with the SPDX commonplace for expressing SBOMs, which is outlined by the Linux Basis.

Scans normally have a look at every little thing within the picture’s filesystem. Typically you may need to exclude particular directories to cease some packages displaying within the output. Cross a glob expression to the --exclude flag to filter out explicit paths. You possibly can use this to solely index the packages related together with your utility, as a substitute of these belonging to the picture’s working system layer.

$ docker sbom --exclude /var nginx:newest

From time to time you could have to scan a picture constructed for an structure that differs out of your present platform. Use the --platform flag to pick a unique multi-arch variant, resembling linux or arm64:

$ docker sbom --platform arm64 nginx:newest

This allows you to index pictures you’ve constructed for different platforms with out switching between bodily {hardware} gadgets.

Use Instances

Extra builders are starting to acknowledge the advantages of SBOMs. They spotlight excessively lengthy dependency lists, offering pruning alternatives that cut back your risk publicity. For software program customers, SBOMs are an more and more essential device when gauging the chance introduced by a brand new mission. They’re more likely to turn into a required deliverable for software program commissioned by main organizations and authorities companies.

When you’ve acquired an SBOM, the information can be utilized with automated instruments to additional pinpoint safety points. For example, you can move the output of docker sbom immediately into Grype to determine CVEs related to the packages in your picture:

$ docker sbom --format syft-json nginx:newest | grype

SBOM technology has beforehand relied on adoption of latest instruments resembling Syft. This reduces discoverability and makes the SBOM a bolt-on further, relatively than one thing intrinsic to your artifacts. By integrating SBOMs into the Docker CLI, extra builders will have the ability to produce reviews all through the software program lifecycle.

The present implementation of docker sbom is taken into account experimental and restricted in scope. Sooner or later, SBOM knowledge might be captured as a part of the picture construct course of. docker sbom would then floor this data, as a substitute of performing an energetic on-demand scan.

Integrating SBOMs into docker construct would make them a first-class part within the container toolchain, guaranteeing each picture is accompanied by an SBOM all through its life. Storing a picture in a registry would come with the corresponding SBOM, even when the registry host was air-gapped and unable to carry out energetic scans. This performance remains to be a way off although. Right now’s model of docker sbom stays a robust device that makes container picture SBOMs simpler to supply.


The docker sbom command allows you to generate the SBOM for a Docker picture with out putting in a standalone device. The Docker CLI integrates with Syft to offer on-demand scans that produce an index of packages current within the picture’s filesystem.

You can begin utilizing docker sbom at this time by updating to Docker Desktop v4.7.0 or putting in the SBOM plugin for Docker Engine on Linux. Producing an SBOM every time you construct your picture will make it easier to determine and handle dependency bloat earlier than it turns into an issue. You possibly can typically cut back the variety of packages in your picture by switching to a minimal base picture resembling alpine and eradicating unused programming language dependencies.

Share post:



More like this

Why advances in neural 3D rendering aren’t reaching the market

Had been you unable to attend Remodel 2022?...

My Hero Academia S6 Ep1 confirms series is taking dark path

The primary episode of the sixth season of...

Border Agents Apprehend Known Terrorists, Thousands of Criminals, Gang Members

By Bethany Blankley (The Middle Sq.) U.S. Customs and...

The Most Influential Digital Cameras Of Our Time

There’s no good approach to compile a complete...