syft - SBOM for container image

SBOM stands for Software Bill of Material it’s a list of components used to build your application. Nowadays we’re mainly delivering apps using container images it can be divided into two groups, the first one is the list of ie. packages being used to build your go binaries (go.mod) the second one is the list of the operating system packages (debian dpkg). Both lists can be used to determine if the current image is vulnerable. This concept is becoming more popular when we experience such serious security breaches as Apache Log4j or OpenSSL to control the whole application delivery chain. One example of preparing SBOM for container images is syft. This tool delivers options to prepare SBOM for the most commonly used languages and operating systems. Generating the SBOM itself isn’t pretty valuable it should work in conjunction with other tools like security scanner grype and providing attestation using tools around sigstore project. The last one delivers pretty a nice feature like uploading attestation of the specified image to the OCI registry using your OIDC credentials, more info Keyless support. One more thing worth mentioning is that Docker Desktop integrate SBOM using syft:

$ docker --help | grep -i sbom
  sbom*       View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)

comments powered by Disqus
#syft #sbom #container

powered by Hugo and Noteworthy theme