Alauda Security Service

Generating SBOMs from Scanned Images

Alauda Security Service enables you to generate a Software Bill of Materials (SBOM) from scanned container images. SBOMs provide a detailed inventory of software components, dependencies, and libraries within an image and help teams investigate vulnerable packages more efficiently.

TOC

What is an SBOM?How to Generate SBOMsUsing the PortalUsing the roxctl CLICLI OptionsUsing the API

What is an SBOM?

A Software Bill of Materials (SBOM) is a digital record listing the components of a piece of software and their origins. SBOMs help organizations:

  • Identify the presence of vulnerable packages and components
  • Respond quickly to mitigate risks
  • Comply with regulations such as Executive Order 14028

SBOMs can be generated in different ways. The SBOMs generated by Alauda Security Service are "Analyzed" SBOMs, created by analyzing artifacts such as executables, packages, containers, and VM images. According to CISA, analyzed SBOMs:

  • Provide information without requiring an active development environment
  • Can be generated without access to the build process
  • Help discover hidden dependencies

The SBOM generated by Alauda Security Service is in System Package Data Exchange (SPDX) 2.3 format and is downloaded as JSON.

How to Generate SBOMs

You can generate SBOMs using the Alauda Security Service portal, the roxctl CLI, or the API.

Using the Portal

  1. Go to Vulnerability Management > Results and locate the image you want.
  2. If needed, switch to the relevant results view, such as User Workloads, Platform, or a view under More Views.
  3. Do one of the following:
    • In the image row, click the overflow menu and select Generate SBOM.
    • Select the image to view details, then click Generate SBOM.
  4. Review the image information and the SBOM format in the dialog.
  5. Click Generate SBOM to create and download the file.

Using the roxctl CLI

Run the following command:

roxctl image sbom --image=image-name

Replace image-name with the name and reference of the image (e.g., nginx:latest or nginx@sha256:...).

CLI Options

OptionDescription
-f, --forceBypass Central's cache for the image and force a new pull from the scanner. Default: false.
-d, --retry-delay integerTime to wait between retries in seconds. Default: 3.
-i, --image stringImage name and reference (e.g., nginx:latest or nginx@sha256:...).
-r, --retries integerNumber of times Scanner V4 should retry before exiting with an error. Default: 3.

Using the API

You can also generate an SBOM by using the API with an API token. Use this option when you want to embed SBOM creation into automation or external reporting workflows.