{"id":479019,"date":"2022-07-29T11:04:31","date_gmt":"2022-07-29T08:04:31","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-use-docker-sbom-to-index-your-docker-images-packages\/"},"modified":"2022-07-29T11:04:31","modified_gmt":"2022-07-29T08:04:31","slug":"how-to-use-docker-sbom-to-index-your-docker-images-packages","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-sbom-to-index-your-docker-images-packages\/","title":{"rendered":"#How to Use \u201cdocker sbom\u201d to Index Your Docker Image\u2019s Packages"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3b09545a78d\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3b09545a78d\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-sbom-to-index-your-docker-images-packages\/#%E2%80%9CHow_to_Use_%E2%80%9Cdocker_sbom%E2%80%9D_to_Index_Your_Docker_Images_Packages%E2%80%9D\" >&#8220;How to Use \u201cdocker sbom\u201d to Index Your Docker Image\u2019s Packages&#8221;<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-sbom-to-index-your-docker-images-packages\/#The_%E2%80%9Cdocker_sbom%E2%80%9D_Command\" >The \u201cdocker sbom\u201d Command<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-sbom-to-index-your-docker-images-packages\/#Customizing_Output\" >Customizing Output<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-sbom-to-index-your-docker-images-packages\/#Use_Cases\" >Use Cases<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-docker-sbom-to-index-your-docker-images-packages\/#Summary\" >Summary<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9CHow_to_Use_%E2%80%9Cdocker_sbom%E2%80%9D_to_Index_Your_Docker_Images_Packages%E2%80%9D\"><\/span>&#8220;How to Use \u201cdocker sbom\u201d to Index Your Docker Image\u2019s Packages&#8221;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div>\n<!-- UNCACHED CONTENT --><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-803108\" data-pagespeed-no-defer=\"\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/05\/Docker.jpeg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Docker logo\" width=\"1602\" height=\"902\"\/><\/p>\n<p>Software supply chain security has become topical in the wake of high profile dependency-based attacks. Producing an SBOM for your software artifacts can help you identify weaknesses and trim down the number of packages you rely on.<\/p>\n<p>A new Docker feature <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.docker.com\/blog\/announcing-docker-sbom-a-step-towards-more-visibility-into-docker-images\">integrates support for<\/a> SBOM generation into the <code>docker<\/code> CLI. This lets you produce an SBOM alongside your build, then distribute it to consumers of your image.<\/p>\n<h2 id=\"the-docker-sbom-command\"><span class=\"ez-toc-section\" id=\"The_%E2%80%9Cdocker_sbom%E2%80%9D_Command\"><\/span>The \u201cdocker sbom\u201d Command<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The new <code>docker sbom<\/code> command is bundled with Docker Desktop versions 4.7.0 and later. You can add the command to a Docker Engine installation on Linux by installing the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/docker\/sbom-cli-plugin\"><code>docker-sbom<\/code> plugin<\/a> from GitHub:<\/p>\n<pre>$ curl -sSfL https:\/\/raw.githubusercontent.com\/docker\/sbom-cli-plugin\/main\/install.sh | sh -s --<\/pre>\n<p>Check the installation succeeded by running the command:<\/p>\n<pre>$ docker sbom&#13;\n&#13;\nUsage:  docker sbom [OPTIONS] COMMAND&#13;\n&#13;\nView the packaged-based Software Bill Of Materials (SBOM) for an image.&#13;\n...<\/pre>\n<p>Now you can generate the SBOM for a Docker image by passing its tag to the command:<\/p>\n<pre>$ docker sbom nginx:latest&#13;\nSyft v0.43.0&#13;\n \u2714 Pulled image            &#13;\n \u2714 Loaded image            &#13;\n \u2714 Parsed image            &#13;\n \u2714 Cataloged packages      [143 packages]&#13;\nNAME                       VERSION                         TYPE         &#13;\nadduser                    3.118                           deb           &#13;\napt                        2.2.4                           deb           &#13;\nbase-files                 11.1+deb11u3                    deb           &#13;\nbase-passwd                3.5.51                          deb           &#13;\nbash                       5.1-2+b3                        deb           &#13;\nbsdutils                   1:2.36.1-8+deb11u1              deb   &#13;\n...<\/pre>\n<p>The CLI will pull the specified image if it doesn\u2019t already exist on your system. The image\u2019s content is then indexed and a package list displayed in your terminal.<\/p>\n<p>Under the hood, Docker uses the popular Syft SBOM generator to scan and index the image. The active Syft version is shown each time you use the command. Its output matches what a standalone Syft installation would produce.<\/p>\n<p>Syft is capable of identifying operating system packages and programming language dependencies. The type of each detected package is displayed in the command\u2019s output, next to its name and precise version. You can use this information to accurately audit your container images and discover software they rely on. When a major vulnerability is reported, you can consult the image\u2019s SBOM to quickly check whether you\u2019re affected.<\/p>\n<h2 id=\"customizing-output\"><span class=\"ez-toc-section\" id=\"Customizing_Output\"><\/span>Customizing Output<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Output is displayed as a human-readable table by default. This is ideal for distribution alongside your image or as part of your documentation.<\/p>\n<p>You can s<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/trip-and-travel\/\" data-internallinksmanager029f6b8e52c=\"10\" title=\"Trip &amp; Travel\" target=\"_blank\" rel=\"noopener\">trip<\/a> out the lines containing the Syft version and progress report by adding the <code>--quiet<\/code> flag. Use <code>--output<\/code> to write the report into a file, instead of your terminal window. Combining these two options lets you easily save the package list data.<\/p>\n<pre>$ docker sbom --output sbom.txt --quiet nginx:latest<\/pre>\n<p>Several alternative output formats are available via the <code>--format<\/code> flag. The <code>text<\/code> variant is another human-readable option using a row-based layout:<\/p>\n<pre>$ docker sbom --format text --quiet nginx:latest&#13;\n[Image]&#13;\n Layer:      0&#13;\n Digest:     sha256:9c1b6dd6c1e6be9fdd2b1987783824670d3b0dd7ae8ad6f57dc3cea5739ac71e&#13;\n Size:       80400891&#13;\n <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Media<\/a>Type:  <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication\/vnd.docker.image.rootfs.diff.tar.gzip&#13;\n&#13;\n...&#13;\n&#13;\n[adduser]&#13;\n Version:    3.118&#13;\n Type:       deb&#13;\n Found by:   dpkgdb-cataloger&#13;\n&#13;\n[apt]&#13;\n Version:    2.2.4&#13;\n Type:       deb&#13;\n Found by:   dpkgdb-cataloger<\/pre>\n<p>The <code>[Image]<\/code> section enumerates the details of all the layers within the scanned image. The following sections list the detected packages, providing their type and version as nested properties.<\/p>\n<p>Several other formats are supported too, each of which can be activated using the <code>--format<\/code> flag. These are better choices when you want to consume SBOM data programmatically using third-party tools.<\/p>\n<ul>\n<li><code>syft-json<\/code> \u2013 Output a report in Syft\u2019s native JSON format.<\/li>\n<li><code>cyclonedx-xml<\/code>\/<code>cyclonedx-json<\/code> \u2013 Produce a CycloneDX standards-compatible report as XML or JSON. This SBOM standard is led by OWASP.<\/li>\n<li><code>github-0-json<\/code> \u2013 A GitHub-compatible report format.<\/li>\n<li><code>spdx-tag-value<\/code>\/<code>spdx-json<\/code> \u2013 Compatible with the SPDX standard for expressing SBOMs, which is defined by the Linux Foundation.<\/li>\n<\/ul>\n<p>Scans usually look at everything in the image\u2019s filesystem. Sometimes you might want to exclude specific directories to stop some packages showing in the output. Pass a glob expression to the <code>--exclude<\/code> flag to filter out particular paths. You could use this to only index the packages associated with your application, instead of those belonging to the image\u2019s operating system layer.<\/p>\n<pre>$ docker sbom --exclude \/var nginx:latest<\/pre>\n<p>On occasion you may need to scan an image built for an architecture that differs from your current platform. Use the <code>--platform<\/code> flag to select a different multi-arch variant, such as <code>linux<\/code> or <code>arm64<\/code>:<\/p>\n<pre>$ docker sbom --platform arm64 nginx:latest<\/pre>\n<p>This lets you index images you\u2019ve built for other platforms without switching between physical hardware devices.<\/p>\n<h2 id=\"use-cases\"><span class=\"ez-toc-section\" id=\"Use_Cases\"><\/span>Use Cases<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>More developers are beginning to recognize the benefits of SBOMs. They highlight excessively long dependency lists, providing pruning opportunities that reduce your threat exposure. For software consumers, SBOMs are an increasingly important tool when gauging the risk presented by a new project. They\u2019re likely to become a required deliverable for software commissioned by major organizations and government agencies.<\/p>\n<p>Once you\u2019ve got an SBOM, the data can be used with automated tools to further pinpoint security issues. As an example, you could pass the output of <code>docker sbom<\/code> directly into Grype to identify CVEs associated with the packages in your image:<\/p>\n<pre>$ docker sbom --format syft-json nginx:latest | grype<\/pre>\n<p>SBOM generation has previously relied on adoption of new tools such as Syft. This reduces discoverability and makes the SBOM a bolt-on extra, rather than something intrinsic to your artifacts. By integrating SBOMs into the Docker CLI, more developers will be able to produce reports throughout the software lifecycle.<\/p>\n<p>The current implementation of <code>docker sbom<\/code> is considered experimental and limited in scope. In the future, SBOM data <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.docker.com\/blog\/announcing-docker-sbom-a-step-towards-more-visibility-into-docker-images\">could be captured as part of<\/a> the image build process. <code>docker sbom<\/code> would then surface this information, instead of performing an active on-demand scan.<\/p>\n<p>Integrating SBOMs into <code>docker build<\/code> would make them a first-class component in the container toolchain, guaranteeing every image is accompanied by an SBOM throughout its life. Storing an image in a registry would include the corresponding SBOM, even if the registry host was air-gapped and unable to perform active scans. This functionality is still some way off though. Today\u2019s version of <code>docker sbom<\/code> remains a powerful tool that makes container image SBOMs easier to produce.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The <code>docker sbom<\/code> command lets you generate the SBOM for a Docker image without installing a standalone tool. The Docker CLI integrates with Syft to provide on-demand scans that produce an index of packages present in the image\u2019s filesystem.<\/p>\n<p>You can start using <code>docker sbom<\/code> today by updating to Docker Desktop v4.7.0 or installing the SBOM plugin for Docker Engine on Linux. Generating an SBOM each time you build your image will help you identify and address dependency bloat before it becomes a problem. You can often reduce the number of packages in your image by switching to a minimal base image such as <code>alpine<\/code> and removing unused programming language dependencies.<\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/devops\/how-to-use-docker-sbom-to-index-your-docker-images-packages\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;How to Use \u201cdocker sbom\u201d to Index Your Docker Image\u2019s Packages&#8221; Software supply chain security has become topical in the wake of high profile dependency-based attacks. Producing an SBOM for your software artifacts can help you identify weaknesses and trim down the number of packages you rely on. A new Docker feature integrates support for&#8230;<\/p>\n","protected":false},"author":1,"featured_media":479020,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/05\/Docker.jpeg?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-479019","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/479019","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=479019"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/479019\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/479020"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=479019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=479019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=479019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}