Why SBOMs Are Critical for Container Security (and How Docker Makes Them Painless)

Docker · 23 Jun 2026 · 2 min read

#docker

A Software Bill of Materials (SBOM) is a machine-readable inventory of all open-source and third-party components in your application. As containerized deployments scale, SBOMs have become essential for tracking dependencies, managing vulnerabilities, and meeting compliance standards like EO 14028 and PCI DSS 4.0.

Recent research from Omdia’s 2026 software supply chain security report highlights a critical gap: 73% of organizations that generate SBOMs say they enable more efficient vulnerability mitigation, yet 86% still find the generation process challenging. Developers building containerized applications are at the heart of this challenge.

Key Changes & Implications for Developers

  • Docker now integrates SBOM generation directly into the CLI with docker sbom, powered by Anchore Syft. You can generate an SBOM from any Docker image using:
    # Generate SBOM for the latest nginx image
    docker sbom nginx:latest
    
  • The command outputs CycloneDX or SPDX format, both industry-standard SBOM schemas. Use the --format flag to choose:
    docker sbom nginx:latest --format cyclonedx
    
  • SBOMs are generated at build time by default, capturing all installed packages, library versions, and licenses. This prevents drift from run-time changes.
  • Docker Desktop includes a visual SBOM viewer in the Docker Dashboard, making it easy to inspect dependencies without leaving the GUI.
  • Teams can automate SBOM generation in CI/CD pipelines using Docker’s docker sbom in GitHub Actions or Jenkins, ensuring every container image is audited before deployment.

Why This Matters

For developers, manual SBOM creation is error-prone and time-consuming. Docker’s native support shifts the burden from “how do I generate an SBOM?” to “how do I act on the findings?”. With built-in integration, you can now embed SBOM generation into your existing workflows—whether you use docker build, docker compose, or orchestration tools. This means faster vulnerability triage, clearer license compliance, and confidence when shipping containers to production.

Source: https://www.docker.com/blog/what-is-an-sbom/

Related

auto-curated · source linked above ← all news