docsCreated with Sketch.

docker scout sbom

Generate or display SBOM of an image

Usage

docker scout sbom [IMAGE|DIRECTORY|ARCHIVE]

Description

The docker scout sbom command analyzes a software artifact to generate the corresponding Software Bill Of Materials (SBOM).

The SBOM can be used to list all packages, or the ones from a specific type (as dep, maven, etc).

If no image is specified, the most recently built image will be used.

The following artifact types are supported:

  • Images
  • OCI layout directories
  • Tarball archives, as created by docker save
  • Local directory or file

The tool analyzes the provided software artifact, and generates a vulnerability report.

By default, the tool expects an image reference, such as:

  • redis
  • curlimages/curl:7.87.0
  • mcr.microsoft.com/dotnet/runtime:7.0

If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:

  • image:// (default) use a local image, or fall back to a registry lookup
  • local:// use an image from the local image store (don't do a registry lookup)
  • registry:// use an image from a registry (don't use a local image)
  • oci-dir:// use an OCI layout directory
  • archive:// use a tarball archive, as created by docker save
  • fs:// use a local directory or file

Options

OptionShortDefaultDescription
--formatjson

Output format:

  • list: list of packages of the image
  • json: json representation of the SBOM
  • spdx: spdx representation of the SBOM
--only-package-typeComma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) Can only be used with --format list
--output-oWrite the report to a file.
--platformPlatform of image to analyze
--refReference to use if the provided tarball contains multiple references. Can only be used with archive.

Examples

Display the list of packages

$ docker scout sbom --format list alpine

Only display packages of a specific type

 $ docker scout sbom --format list --only-package-type apk alpine

Display the full SBOM as json

$ docker scout sbom alpine

Display the full SBOM of the most recently buitl image

$ docker scout sbom

Write SBOM to a file

$ docker scout sbom --output alpine.sbom alpine