How to use docker scout sbom command to generate and display SBOMs

Introduction

In this lab, you will learn how to use the docker scout sbom command to generate and display Software Bill of Materials (SBOMs) for Docker images. You will begin by generating and displaying a basic SBOM in JSON format, which provides a detailed list of software components within an image.

Following the generation of the basic SBOM, you will explore how to display a more human-readable list of packages found in the SBOM. You will also learn how to filter this package list by type, allowing you to focus on specific categories of components. Finally, you will practice writing the generated SBOM to a file for later use or analysis. This lab will equip you with the fundamental skills to leverage docker scout sbom for understanding the composition of your Docker images.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL docker(("Docker")) -.-> docker/ContainerOperationsGroup(["Container Operations"]) docker(("Docker")) -.-> docker/ImageOperationsGroup(["Image Operations"]) docker(("Docker")) -.-> docker/VolumeOperationsGroup(["Volume Operations"]) docker/ContainerOperationsGroup -.-> docker/ls("List Containers") docker/ContainerOperationsGroup -.-> docker/inspect("Inspect Container") docker/ImageOperationsGroup -.-> docker/pull("Pull Image from Repository") docker/ImageOperationsGroup -.-> docker/images("List Images") docker/ImageOperationsGroup -.-> docker/load("Load Image") docker/VolumeOperationsGroup -.-> docker/cp("Copy Data Between Host and Container") subgraph Lab Skills docker/ls -.-> lab-555215{{"How to use docker scout sbom command to generate and display SBOMs"}} docker/inspect -.-> lab-555215{{"How to use docker scout sbom command to generate and display SBOMs"}} docker/pull -.-> lab-555215{{"How to use docker scout sbom command to generate and display SBOMs"}} docker/images -.-> lab-555215{{"How to use docker scout sbom command to generate and display SBOMs"}} docker/load -.-> lab-555215{{"How to use docker scout sbom command to generate and display SBOMs"}} docker/cp -.-> lab-555215{{"How to use docker scout sbom command to generate and display SBOMs"}} end

Generate and display a basic SBOM in JSON format

In this step, we will learn how to generate a basic Software Bill of Materials (SBOM) for a Docker image and display it in JSON format. An SBOM is a formal list of ingredients that make up a software component. It's like a packing list for your software, detailing all the third-party components, libraries, and dependencies used. Generating an SBOM is crucial for understanding the security posture and licensing compliance of your software.

We will use the syft tool to generate the SBOM. syft is a command-line tool and library for generating an SBOM from container images and filesystems.

First, let's pull a simple Docker image that we will use for this demonstration. We will use the alpine:latest image, which is a lightweight Linux distribution.

docker pull alpine:latest

You should see output indicating that the image is being pulled and downloaded.

Using default tag: latest
latest: Pulling from library/alpine
...
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest

Now that we have the image, we can generate the SBOM. We will use the syft command with the image name and specify the output format as JSON.

syft alpine:latest -o json

This command will analyze the alpine:latest image and output the SBOM in JSON format directly to your terminal. The output will be a large JSON object containing information about the packages found in the image, including their names, versions, licenses, and types.

You can scroll through the output to see the different components listed in the SBOM. This basic JSON output provides a comprehensive view of the software components within the image.

Display a list of packages in the SBOM

In the previous step, we generated a detailed SBOM in JSON format. While comprehensive, the JSON output can be difficult to read directly in the terminal. In this step, we will learn how to display a more human-readable list of the packages found in the Docker image.

syft provides a simple table format that is easy to scan and understand. We can use the -o table option to generate the SBOM in this format.

syft alpine:latest -o table

This command will analyze the alpine:latest image again, but this time it will output the SBOM as a table. The table will typically include columns like NAME, VERSION, TYPE, and LOCATIONS.

You should see output similar to this:

 ✔ Loaded image
 ✔ Analyzed image
 ├── apk
 │   ├── busybox
 │   ├── alpine-baselayout
 │   ├── alpine-keys
 │   ├── apk-tools
 │   ├── zlib
 │   ├── libcrypto1.1
 │   ├── libssl1.1
 │   ├── musl
 │   ├── musl-utils
 │   ├── scanelf
 │   ├── ssl_certs
 │   └── zlib
 └── filesystem
     └── etc/os-release

This table format makes it much easier to quickly see the names and versions of the packages installed in the image. This is particularly useful for getting a quick overview of the image's contents.

Filter the package list by type

In the previous step, we displayed the SBOM as a table, which is easier to read than the JSON output. However, sometimes you might only be interested in specific types of packages. For example, you might only want to see the operating system packages or the application dependencies.

syft allows you to filter the package list by type using the --package-type option. You can specify one or more package types to include in the output. Common package types include apk, deb, rpm, gem, npm, pip, go-module, etc. For the alpine:latest image, the primary package type is apk.

Let's filter the SBOM to only show packages of type apk.

syft alpine:latest -o table --package-type apk

This command will generate the SBOM in table format, but it will only include entries where the package type is apk.

You should see output similar to the table from the previous step, but potentially with fewer entries if there were other package types present in the image (though for a minimal image like alpine, apk is the main type).

 ✔ Loaded image
 ✔ Analyzed image
 ├── apk
 │   ├── busybox
 │   ├── alpine-baselayout
 │   ├── alpine-keys
 │   ├── apk-tools
 │   ├── zlib
 │   ├── libcrypto1.1
 │   ├── libssl1.1
 │   ├── musl
 │   ├── musl-utils
 │   ├── scanelf
 │   ├── ssl_certs
 │   └── zlib

This filtering capability is very useful when you need to focus on specific layers or types of dependencies within your container image.

Write the SBOM to a file

In the previous steps, we displayed the SBOM in different formats directly in the terminal. While useful for quick inspection, you will often need to save the SBOM to a file for further processing, analysis, or sharing.

syft allows you to write the SBOM output to a file using the -o option followed by the desired format and a redirection to a file. We can output the SBOM in various formats, including JSON, SPDX, and CycloneDX. JSON is a common and versatile format.

Let's generate the SBOM in JSON format and save it to a file named alpine_sbom.json in your current directory (~/project).

syft alpine:latest -o json > alpine_sbom.json

This command will generate the SBOM for the alpine:latest image in JSON format and redirect the output to the file alpine_sbom.json. You won't see the JSON output in your terminal this time.

To verify that the file was created and contains the SBOM data, you can use the ls command to list the files in your current directory and the cat command to display the content of the file.

ls

You should see alpine_sbom.json listed among the files.

alpine_sbom.json

Now, let's view the content of the file:

cat alpine_sbom.json

You should see the JSON formatted SBOM output that we saw in the first step, but now it's stored in the alpine_sbom.json file.

Saving the SBOM to a file is a standard practice for integrating SBOM generation into CI/CD pipelines or for sharing SBOMs with others.

Summary

In this lab, we learned how to generate and display a basic Software Bill of Materials (SBOM) for a Docker image using the syft tool. We started by pulling the alpine:latest image and then used the syft alpine:latest -o json command to generate and display the SBOM in JSON format, providing a detailed list of software components within the image.

We then explored how to display a more human-readable list of packages from the SBOM, filter this list by package type, and finally, write the generated SBOM to a file for later use or analysis. These steps demonstrate the fundamental capabilities of syft for understanding the composition of Docker images.