How to Generate SBOM
SBOM (Software Bill of Materials) — machine-readable inventory of all components in your artifact (image / binary / source). Required for US federal contractors (EO 14028), expected in EU CRA 2027. Formats: SPDX (Linux Foundation), CycloneDX (OWASP). Tools: Syft (Anchore, open), Trivy, Docker Scout. Generate → sign with cosign → upload to dependency-track.
Below: step-by-step, working examples, common pitfalls, FAQ.
Step-by-Step Setup
brew install syftor download binary- Generate for Docker image:
syft ghcr.io/me/app:v1 -o spdx-json > sbom.json - Formats: SPDX or CycloneDX (--output cyclonedx-json)
- CI integration: syft GitHub Action
- Sign + attest:
cosign attest --predicate sbom.json --type spdx image - Upload to dependency-track (OWASP) for continuous vulnerability analysis
- Link in release notes for consumers
Working Examples
| Scenario | Config |
|---|---|
| Syft basic Docker | # From Docker image
$ syft ghcr.io/me/app:v1 -o spdx-json > sbom.spdx.json
# From directory
$ syft dir:./src -o cyclonedx-json > sbom.cdx.json
# From archive
$ syft file:./app.tar.gz |
| GitHub Action | - uses: anchore/sbom-action@v0
with:
image: ghcr.io/me/app:v1
format: spdx-json
output-file: sbom.json
- uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.json |
| Scan SBOM for CVEs | # Grype reads SBOM + checks against CVE DB
$ grype sbom:sbom.json
# In CI
$ grype sbom:sbom.json --fail-on high |
| Dependency-Track upload | # POST SBOM for continuous monitoring
$ curl -X POST https://dtrack.example.com/api/v1/bom \
-H 'X-API-Key: ${DT_TOKEN}' \
-F 'project=<UUID>' \
-F 'bom=@sbom.json' |
| Attest SBOM (cosign) | $ cosign attest --predicate sbom.spdx.json \
--type spdx \
ghcr.io/me/app:v1
# Downloads → verified:
$ cosign verify-attestation --type spdx ghcr.io/me/app:v1 |
Common Pitfalls
- SBOM does not include transitive vendor code (header files, build tools). Use syft --scope all-layers
- Multi-stage builds — final image contains only runtime packages. Build-time tools missing from SBOM
- Dynamic languages (Python, Node) — pip/npm lockfiles matter. No lockfile = incomplete SBOM
- Outdated SBOM — generate per release + re-run weekly grype scan (new CVEs appear)
- CycloneDX vs SPDX: converting between loses info. Stick to one format per project
Learn more
Frequently Asked Questions
When is SBOM needed?
US federal contractors since 2023 (EO 14028). EU Cyber Resilience Act (CRA) from 2027 — all software on EU market. Enterprise customers — expected in RFPs.
SPDX or CycloneDX?
SPDX: Linux Foundation, wide enterprise acceptance. CycloneDX: OWASP, security-focused, richer vulnerability info. Both are ISO standards 2024+.
SBOM scanning?
Grype (Anchore) reads SPDX/CycloneDX + CVE DB. Dependency-Track (OWASP) — continuous monitoring, alerts on new CVEs for old releases.
Monitor endpoint for SBOM?
Upload to Dependency-Track / Snyk / GitHub Advisory. For endpoint uptime — <a href="/en/check">Enterno HTTP checker</a>.