BlogCI/CD

Generate an SBOM for any container image with Syft

Produce a complete software bill of materials in SPDX or CycloneDX and feed it to Grype for fast CVE triage.

Nov 5, 2024·8 min readIntermediate

You cannot secure what you cannot enumerate. A software bill of materials (SBOM) lists every package, library, and version inside an image. Syft generates one from any image or filesystem in seconds, and pairing it with Grype turns 'are we affected by X?' into a query instead of an investigation.

bash — what is actually in therelive
syft acme/api:1.4
NAME VERSION TYPE
openssl 3.1.4-r5 apk
express 4.19.2 npm
cataloged 214 packages across 3 ecosystems

Emit a standard format

Use SPDX or CycloneDX so any downstream tool can consume it. Store the SBOM as a build artifact — ideally as a signed attestation on the image.

bash
syft acme/api:1.4 -o spdx-json > sbom.spdx.json
syft acme/api:1.4 -o cyclonedx-json > sbom.cdx.json

Triage against it fast

bash — scan the SBOM, not the imagelive
grype sbom:sbom.cdx.json --fail-on high
openssl 3.1.4-r5 CVE-2024-6119 (High) fixed in 3.1.4-r6
scanning the SBOM is faster than re-pulling the image
Keep every SBOM
Archive one SBOM per build. The next critical CVE becomes: grep your SBOM store for the package — minutes across your whole fleet.
Go deeper in a courseSoftware supply chain securitySBOMs, vulnerability triage, provenance, and signing.View course

Related posts