Generating a Software Bill of Materials (SBOM) for container images is becoming essential for security and compliance. Docker's new guide covers best practices for integrating SBOM generation into container workflows, whether at build time or after images are built.
Key points from the guide:
- Build-time SBOM generation uses tools like
docker sbom(via the Docker Scout plugin) orsyftto capture dependencies as they are installed, ensuring accuracy and traceability. Usedocker scout sbomorsyft <image>for Syft-based generation. - Post-build SBOM generation is useful for images already in registries, using tools like
trivy image --format cyclonedxorgrype <image>to produce SBOMs on demand. - SBOM quality criteria include completeness (all packages and versions), accuracy, and format compliance (e.g., CycloneDX or SPDX). The guide recommends validating SBOMs with
cyclonedx-cli validateorspdx-validator. - CI/CD integration can be achieved by adding SBOM generation as a step in your pipeline. For GitHub Actions, use
anchore/sbom-action@v0; for GitLab, a job withsyft <image> -o cyclonedx-json > sbom.json. The guide also covers using Docker Scout for continuous SBOM analysis.
For developers, adopting SBOM generation improves supply chain security. Build-time generation is more accurate but may increase build time, while post-build is easier to retrofit. Including SBOMs in CI/CD enables automated vulnerability scanning and compliance reporting, aligning with Executive Order 14028 and CISA guidelines.
Source: https://www.docker.com/blog/sbom-generation-for-container-workflows/