Generating SBOMs from Scanned Images
Alauda Container Security enables you to generate a Software Bill of Materials (SBOM) from scanned container images. This feature provides a detailed overview of software components, dependencies, and libraries within your application, helping organizations locate vulnerable packages and comply with security requirements.
TOC
What is an SBOM?
A Software Bill of Materials (SBOM) is a digital record listing the components of a piece of software and their origins. SBOMs help organizations:
- Identify the presence of vulnerable packages and components
- Respond quickly to mitigate risks
- Comply with regulations such as Executive Order 14028
SBOMs can be generated in different ways. The SBOMs generated by Alauda Container Security are "Analyzed" SBOMs, created by analyzing artifacts such as executables, packages, containers, and VM images. According to CISA, analyzed SBOMs:
- Provide information without requiring an active development environment
- Can be generated without access to the build process
- Help discover hidden dependencies
The SBOM generated by Alauda Container Security is in System Package Data Exchange (SPDX) 2.3 format.
How to Generate SBOMs
You can generate SBOMs using the Alauda Container Security portal, the roxctl CLI, or the API.
Using the Portal
- Go to Vulnerability Management > Results and locate the image you want.
- Do one of the following:
- In the image row, click the overflow menu and select Generate SBOM.
- Select the image to view details, then click Generate SBOM.
- A window will display information about the image and the SBOM format. Click Generate SBOM to create the file in JSON format. The file will be downloaded automatically depending on your browser settings.
Using the roxctl CLI
Run the following command:
Replace image-name with the name and reference of the image (e.g., nginx:latest or nginx@sha256:...).