Docker Scout SBOMs

Image analysis uses image SBOMs to understand what packages and versions an image contains. Docker Scout uses SBOM attestations if available on the image (recommended). If no SBOM attestation is available, Docker Scout creates one by indexing the image contents.

View from CLI#

To view the contents of the SBOM that Docker Scout generates, you can use the docker scout sbom command.

$ docker scout sbom [IMAGE]

By default, this prints the SBOM in a JSON format to stdout. The default JSON format produced by docker scout sbom isn't SPDX-JSON. To output SPDX, use the --format spdx flag:

$ docker scout sbom --format spdx [IMAGE]

To generate a human-readable list, use the --format list flag:

$ docker scout sbom --format list alpine

           Name             Version    Type
───────────────────────────────────────────────
  alpine-baselayout       3.4.3-r1     apk
  alpine-baselayout-data  3.4.3-r1     apk
  alpine-keys             2.4-r1       apk
  apk-tools               2.14.0-r2    apk
  busybox                 1.36.1-r2    apk
  busybox-binsh           1.36.1-r2    apk
  ca-certificates         20230506-r0  apk
  ca-certificates-bundle  20230506-r0  apk
  libc-dev                0.7.2-r5     apk
  libc-utils              0.7.2-r5     apk
  libcrypto3              3.1.2-r0     apk
  libssl3                 3.1.2-r0     apk
  musl                    1.2.4-r1     apk
  musl-utils              1.2.4-r1     apk
  openssl                 3.1.2-r0     apk
  pax-utils               1.3.7-r1     apk
  scanelf                 1.3.7-r1     apk
  ssl_client              1.36.1-r2    apk
  zlib                    1.2.13-r1    apk

For more information about the docker scout sbom command, refer to the CLI reference.

Attach as build attestation#

You can generate the SBOM and attach it to the image at build-time as an attestation. BuildKit provides a default SBOM generator which is different from what Docker Scout uses. You can configure BuildKit to use the Docker Scout SBOM generator using the --attest flag for the docker build command. The Docker Scout SBOM indexer provides richer results and ensures better compatibility with the Docker Scout image analysis.

$ docker build --tag <org>/<image> \
  --attest type=sbom,generator=docker/scout-sbom-indexer:latest \
  --push .

To build images with SBOM attestations, you must use either the containerd image store feature, or use a docker-container builder together with the --push flag to push the image (with attestations) directly to a registry. The classic image store doesn't support manifest lists or image indices, which is required for adding attestations to an image.

Extract to file#

The command for extracting the SBOM of an image to an SPDX JSON file is different depending on whether the image has been pushed to a registry or if it's a local image.

Remote image#

To extract the SBOM of an image and save it to a file, you can use the docker buildx imagetools inspect command. This command only works for images in a registry.

$ docker buildx imagetools inspect <image> --format "\{\{ json .SBOM }}" > sbom.spdx.json

Local image#

To extract the SPDX file for a local image, build the image with the local exporter and use the scout-sbom-indexer SBOM generator plugin.

The following command saves the SBOM to a file at build/sbom.spdx.json.

$ docker build --attest type=sbom,generator=docker/scout-sbom-indexer:latest \
  --output build .