This tutorial illustrates how to create SBOMs from container images using the Docker Scout SBOM CLI utility.
Run the command:
docker scout sbom --help
You should see the resultant output:
Generate or display SBOM of an image
Usage
docker scout sbom [IMAGE|DIRECTORY|ARCHIVE]
Description
The docker scout sbom command analyzes a software artifact to generate the corresponding Software Bill Of Materials (SBOM).
The SBOM can be used to list all packages, or the ones from a specific type (as dep, maven, etc).
If no image is specified, the most recently built image is used.
The following artifact types are supported:
- Images
- OCI layout directories
- Tarball archives, as created by docker save
- Local directory or file
The tool analyzes the provided software artifact, and generates a vulnerability report.
By default, the tool expects an image reference, such as:
- redis
- curlimages/curl:7.87.0
- mcr.microsoft.com/dotnet/runtime:7.0
If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory,
or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:
- image:// (default) use a local image, or fall back to a registry lookup
- local:// use an image from the local image store (don't do a registry lookup)
- registry:// use an image from a registry (don't use a local image)
- oci-dir:// use an OCI layout directory
- archive:// use a tarball archive, as created by docker save
- fs:// use a local directory or file
Flags
--format string Output format:
- list: list of packages of the image
- json: json representation of the SBOM
- spdx: spdx representation of the SBOM (default "json")
--only-package-type strings Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
Can only be used with --format list
-o, --output string Write the report to a file
--platform string Platform of image to analyze
--ref string Reference to use if the provided tarball contains multiple references.
Can only be used with archive
Examples
Display the list of packages
$ docker scout sbom alpine --format list
Only display packages of a specific type
$ docker scout sbom --format list --only-package-type apk alpine
Display the full SBOM as json of the most recently built image
$ docker scout sbom
Write SBOM to a file
$ docker scout sbom --output alpine.sbom alpine
Learn More
Read docker scout cli reference at https://docs.docker.com/engine/reference/commandline/scout/
Report Issues
Raise bugs and feature requests at https://github.com/docker/scout-cli/issues
Send Feedback
Send feedback with docker feedback
To create an SBOM, run:
docker scout sbom --format <FORMAT> <IMAGE> -o <FILENAME>
Where:
FORMAT is one of:
IMAGE is one of:
A local image. Default, after which the utility searches for a remote image.
Preface the image with local:// to ensure a local image search, e.g. local://node.
A remote image from a registry. Default, after searching for a local image.
Preface with registry:// to ensure a registry search, e.g. registry://debian:buster.
An OCI layout directory.
Image OCI directories must be prefaced with oci-dir:// , e.g. oci-dir://ubuntu_latest.
A tarball archive.
Tarball image files must be prefaced with archive:// , e.g. archive://ubuntu_latest.tar.
A local directory or file.
Local image directories must be prefaced with fs:// , e.g. spdx fs://docker.
In regards to the output FORMAT, only SPDX is a standard SBOM format. As such, all example SBOMs created from this tool with be provided in SPDX.
Licenses generated by this SBOM generator may not conform to the SPDX License List, and as such may render the SBOM invalid for analysis.
| SPDX License List | Software Package Data Exchange (SPDX). (n.d.). https://spdx.org/licenses/ |