-
Notifications
You must be signed in to change notification settings - Fork 0
8. Hands‐On Guide to SBOM
This guide will walk you through how to generate, analyze, and verify an SBOM (Software Bill of Materials) for your container images using Apko, Syft, and Trivy.
SBOM (Software Bill of Materials) is a list of all components, dependencies, and libraries inside a software package or container. It helps with:
- Security: Identifies vulnerabilities (CVEs) in dependencies.
- Compliance: Ensures legal and licensing compliance.
- Supply Chain Integrity: Detects malicious or outdated packages.
There are multiple tools available:
| Tool | Purpose | SBOM Format Support |
|---|---|---|
| Apko | Generates SBOMs for APK-based container images. | SPDX, CycloneDX |
| Syft | Scans any container image or filesystem for SBOM generation. | SPDX, CycloneDX |
| Trivy | Generates SBOMs and checks for vulnerabilities. | SPDX, CycloneDX |
We'll cover Apko for APK-based images and Syft/Trivy for general container images.
If you're using Apko to build container images, you can generate an SBOM automatically.
curl -Lo apko.tar.gz https://github.com/chainguard-dev/apko/releases/latest/download/apko-linux-amd64.tar.gz
tar -xvf apko.tar.gz
sudo mv apko /usr/local/bin/Verify installation:
apko versioncontents:
packages:
- busybox
- openssl
sbom:
enabled: true
format: "spdx-json"apko build --sbom apko.yaml my-container:latest my-container.tar✅ This will generate an SBOM file in SPDX JSON format.
Syft can scan any container image and create an SBOM.
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
syft versionsyft my-container:latest -o spdx-json > sbom.json✅ This scans my-container:latest and generates an SBOM.
cat sbom.json | jq .This will output:
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "my-container",
"packages": [
{
"name": "openssl",
"versionInfo": "1.1.1n",
"license": "OpenSSL",
"supplier": "Alpine Linux"
},
{
"name": "busybox",
"versionInfo": "1.35.0-r29",
"license": "GPL-2.0",
"supplier": "Alpine Linux"
}
]
}🔍 Now you have a complete list of installed packages, versions, and licenses.
Trivy can generate an SBOM and detect vulnerabilities at the same time.
brew install trivy # macOS
sudo apt install trivy # Ubuntu/DebianOr manually:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/install.sh | shVerify installation:
trivy versiontrivy image --format spdx-json -o sbom.json my-container:latest✅ This generates an SPDX-compliant SBOM.
trivy image my-container:latestExample output:
+----------------+------------------+----------+-------------------+---------------+
| PACKAGE | VERSION | SEVERITY | CVE ID | FIXED VERSION |
+----------------+------------------+----------+-------------------+---------------+
| openssl | 1.1.1n | HIGH | CVE-2022-12345 | 1.1.1p |
| busybox | 1.35.0-r29 | MEDIUM | CVE-2023-6789 | 1.36.0-r1 |
+----------------+------------------+----------+-------------------+---------------+
🚀 Now you can detect and patch vulnerabilities!
If you're using GitHub Actions, add this workflow to automate SBOM generation:
name: SBOM Check
on:
push:
branches:
- main
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Install Syft
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Generate SBOM
run: |
syft my-container:latest -o spdx-json > sbom.json
- name: Upload SBOM
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.json✅ This will generate an SBOM for every push and upload it as an artifact.
| Tool | Best For |
|---|---|
| Apko | SBOM for Alpine-based images (OCI) |
| Syft | SBOM for any container image or filesystem |
| Trivy | SBOM + vulnerability scanning |
🚀 Next Steps
- Use Apko if you are building APK-based images.
- Use Syft if you need SBOMs for any container.
- Use Trivy if you want SBOM + security scanning.