Docker image SBOM

Software Bill of Materials is a list of all contents of a piece of software.

To generate such a list, call Syft !

How to install

 curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin

How to launch

$ cd $PROJECT_ROOT
$ syft dir:.
 ✔ Indexed .               
 ✔ Cataloged packages      [1 packages]
NAME    VERSION  TYPE   
pandas  1.3.4    python 
[...]

We can also output this in a file:

$ syft dir:. -o github=sbom.json
$ cat sbom.json

{
  "version": 0,
  "job": {},
  "detector": {
    "name": "syft",
    "url": "https://github.com/anchore/syft",
    "version": "0.56.0"
  },
  "manifests": {
    "requirements.txt": {
      "name": "requirements.txt",
      "file": {
        "source_location": "requirements.txt"
      },
      "resolved": {
        "pkg:pypi/pandas@1.3.4": {
          "package_url": "pkg:pypi/pandas@1.3.4",
          "relationship": "direct",
          "scope": "runtime"
        }
      }
    }
  },
  "scanned": "2022-09-10T10:04:24+02:00"
}