8. Hands‐On Guide to SBOM - SMART2016/containerization GitHub Wiki

Hands-on Guide: Generating an SBOM for Container Images

This guide will walk you through how to generate, analyze, and verify an SBOM (Software Bill of Materials) for your container images using Apko, Syft, and Trivy.

1️⃣ What is an SBOM?

SBOM (Software Bill of Materials) is a list of all components, dependencies, and libraries inside a software package or container. It helps with:

  • Security: Identifies vulnerabilities (CVEs) in dependencies.
  • Compliance: Ensures legal and licensing compliance.
  • Supply Chain Integrity: Detects malicious or outdated packages.

2️⃣ Tools for Generating SBOMs

There are multiple tools available:

Tool Purpose SBOM Format Support
Apko Generates SBOMs for APK-based container images. SPDX, CycloneDX
Syft Scans any container image or filesystem for SBOM generation. SPDX, CycloneDX
Trivy Generates SBOMs and checks for vulnerabilities. SPDX, CycloneDX

We'll cover Apko for APK-based images and Syft/Trivy for general container images.

3️⃣ Generating an SBOM Using Apko

If you're using Apko to build container images, you can generate an SBOM automatically.

Step 1: Install Apko

curl -Lo apko.tar.gz https://github.com/chainguard-dev/apko/releases/latest/download/apko-linux-amd64.tar.gz
tar -xvf apko.tar.gz
sudo mv apko /usr/local/bin/

Verify installation:

apko version

Step 2: Create Apko Configuration File (apko.yaml)

contents:
  packages:
    - busybox
    - openssl

sbom:
  enabled: true
  format: "spdx-json"

Step 3: Build the Image and Generate an SBOM

apko build --sbom apko.yaml my-container:latest my-container.tar

✅ This will generate an SBOM file in SPDX JSON format.

4️⃣ Generating an SBOM Using Syft

Syft can scan any container image and create an SBOM.

Step 1: Install Syft

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
syft version

Step 2: Generate an SBOM for a Container Image

syft my-container:latest -o spdx-json > sbom.json

✅ This scans my-container:latest and generates an SBOM.

Step 3: Inspect the SBOM

cat sbom.json | jq .

This will output:

{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "my-container",
  "packages": [
    {
      "name": "openssl",
      "versionInfo": "1.1.1n",
      "license": "OpenSSL",
      "supplier": "Alpine Linux"
    },
    {
      "name": "busybox",
      "versionInfo": "1.35.0-r29",
      "license": "GPL-2.0",
      "supplier": "Alpine Linux"
    }
  ]
}

🔍 Now you have a complete list of installed packages, versions, and licenses.

5️⃣ Generating an SBOM Using Trivy

Trivy can generate an SBOM and detect vulnerabilities at the same time.

Step 1: Install Trivy

brew install trivy  # macOS
sudo apt install trivy  # Ubuntu/Debian

Or manually:

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/install.sh | sh

Verify installation:

trivy version

Step 2: Generate an SBOM for a Container Image

trivy image --format spdx-json -o sbom.json my-container:latest

✅ This generates an SPDX-compliant SBOM.

Step 3: Scan for Vulnerabilities

trivy image my-container:latest

Example output:

+----------------+------------------+----------+-------------------+---------------+
| PACKAGE       | VERSION          | SEVERITY | CVE ID            | FIXED VERSION |
+----------------+------------------+----------+-------------------+---------------+
| openssl       | 1.1.1n            | HIGH     | CVE-2022-12345    | 1.1.1p        |
| busybox       | 1.35.0-r29        | MEDIUM   | CVE-2023-6789     | 1.36.0-r1     |
+----------------+------------------+----------+-------------------+---------------+

🚀 Now you can detect and patch vulnerabilities!

6️⃣ Automating SBOM Generation in CI/CD

If you're using GitHub Actions, add this workflow to automate SBOM generation:

name: SBOM Check
on:
  push:
    branches:
      - main

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3

      - name: Install Syft
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

      - name: Generate SBOM
        run: |
          syft my-container:latest -o spdx-json > sbom.json

      - name: Upload SBOM
        uses: actions/upload-artifact@v3
        with:
          name: sbom
          path: sbom.json

✅ This will generate an SBOM for every push and upload it as an artifact.

7️⃣ Summary

Tool Best For
Apko SBOM for Alpine-based images (OCI)
Syft SBOM for any container image or filesystem
Trivy SBOM + vulnerability scanning

🚀 Next Steps

  • Use Apko if you are building APK-based images.
  • Use Syft if you need SBOMs for any container.
  • Use Trivy if you want SBOM + security scanning.