docker scout sbom

Generate or display SBOM of an image


docker scout sbom [IMAGE|DIRECTORY|ARCHIVE]


The docker scout sbom command analyzes a software artifact to generate the corresponding Software Bill Of Materials (SBOM).

The SBOM can be used to list all packages, or the ones from a specific type (as dep, maven, etc).

If no image is specified, the most recently built image will be used.

The following artifact types are supported:

  • Images
  • OCI layout directories
  • Tarball archives, as created by docker save

The tool analyzes the provided software artifact, and generates a vulnerability report.

By default, the tool expects an image reference, such as:

  • redis
  • curlimages/curl:7.87.0

If the artifact you want to analyze is an OCI directory or a tarball archive, you must use the --type flag.



Output format:

  • list: list of packages of the image
  • json: json representation of the SBOM
--only-package-typeComma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) Can only be used with --format list
--output-oWrite the report to a file.
--platformPlatform of image to analyze
--refReference to use if the provided tarball contains multiple references. Can only be used with --type archive.

Type of the image to analyze. Can be one of:

  • image
  • oci-dir
  • archive (docker save tarball)
  • fs (directory or file)


Display the list of packages

$ docker scout sbom --format list alpine

Only display packages of a specific type

 $ docker scout sbom --format list --only-package-type apk alpine

Display the full SBOM as json

$ docker scout sbom alpine

Display the full SBOM of the most recently buitl image

$ docker scout sbom

Write SBOM to a file

$ docker scout sbom --output alpine.sbom alpine

Early Access

Docker Scout secures the complete software supply chain by providing image analysis, real-time vulnerability identification, contextual remediation recommendations, and more. Now available in early access.

Learn more on the Docker Scout product pageopen_in_new.