#Generating SBOMs from Scanned Images

Alauda Container Security enables you to generate a Software Bill of Materials (SBOM) from scanned container images. This feature provides a detailed overview of software components, dependencies, and libraries within your application, helping organizations locate vulnerable packages and comply with security requirements.

#What is an SBOM?

A Software Bill of Materials (SBOM) is a digital record listing the components of a piece of software and their origins. SBOMs help organizations:

• Identify the presence of vulnerable packages and components
• Respond quickly to mitigate risks
• Comply with regulations such as Executive Order 14028

SBOMs can be generated in different ways. The SBOMs generated by Alauda Container Security are "Analyzed" SBOMs, created by analyzing artifacts such as executables, packages, containers, and VM images. According to CISA, analyzed SBOMs:

• Provide information without requiring an active development environment
• Can be generated without access to the build process
• Help discover hidden dependencies

The SBOM generated by Alauda Container Security is in System Package Data Exchange (SPDX) 2.3 format.

#How to Generate SBOMs

You can generate SBOMs using the Alauda Container Security portal, the roxctl CLI, or the API.

#Using the Portal

1. Go to Vulnerability Management > Results and locate the image you want.
2. Do one of the following:
   • In the image row, click the overflow menu and select Generate SBOM.
   • Select the image to view details, then click Generate SBOM.
3. A window will display information about the image and the SBOM format. Click Generate SBOM to create the file in JSON format. The file will be downloaded automatically depending on your browser settings.

#Using the roxctl CLI

Run the following command:

roxctl image sbom --image=image-name

Replace image-name with the name and reference of the image (e.g., nginx:latest or nginx@sha256:...).

#CLI Options