SBOM

Self-hosted

A Software Bill of Materials (SBOM) is a detailed inventory or list of all the components, libraries, dependencies, and software used within a specific application or system. It provides critical transparency into the makeup of software.

As a fundamental security concept, we create an SBOM (Software Bill of Material) for the software, including all libraries and Docker base image, and attach it to the provided container. You can extract the SBOM from the container and integrate the SBOM into your internal security check procedures, if applicable.

View SBOM

Use Syft to view all the components included in the application. It supports different output formats.

syft entropydata/entropy-data:latest
syft entropydata/entropy-data:latest -o spdx-json
syft entropydata/entropy-data:latest -o cyclonedx-xml

The docker sbom command is deprecated and has been removed from recent Docker Desktop releases. Call syft directly instead. If you see an error like client version 1.41 is too old, your Syft version predates your Docker daemon's API — upgrade Syft (brew upgrade syft or re-run the install script) and re-run the command.

Trivy

Among other tools, we use Trivy to automatically identify vulnerabilities, misconfigurations and leaked secrets.

Export SBOM

Export as SPDX JSON format with trivy or docker:

# export the sbom from the container image
trivy image --format spdx-json --output sbom.json entropydata/entropy-data:latest

Scan the exported SBOM

# scan the SBOM for vulnerabilities
trivy sbom --scanners vulnerability,misconfig,secret sbom.json

Scan Container image directly

# scan the container image for vulnerabilities, misconfig, secrets
trivy image --scanners vulnerability,misconfig,secret entropydata/entropy-data:latest

Configure Trivy to use private repository

# setup Container Registry Authentication
export TRIVY_USERNAME=...
export TRIVY_PASSWORD=...