docker scout sbom
Generate or display SBOM of an image
Usage
docker scout sbom [IMAGE|DIRECTORY|ARCHIVE]
Description
The docker scout sbom command analyzes a software artifact to generate the corresponding Software Bill Of Materials (SBOM).
The SBOM can be used to list all packages, or the ones from a specific type (as dep, maven, etc).
If no image is specified, the most recently built image will be used.
The following artifact types are supported:
- Images
- OCI layout directories
- Tarball archives, as created by
docker save
The tool analyzes the provided software artifact, and generates a vulnerability report.
By default, the tool expects an image reference, such as:
rediscurlimages/curl:7.87.0mcr.microsoft.com/dotnet/runtime:7.0
If the artifact you want to analyze is an OCI directory or a tarball archive, you must use the --type flag.
Options
| Option | Short | Default | Description |
|---|---|---|---|
--format | json | Output format:
| |
--only-package-type | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) Can only be used with --format list | ||
--output | -o | Write the report to a file. | |
--platform | Platform of image to analyze | ||
--ref | Reference to use if the provided tarball contains multiple references. Can only be used with --type archive. | ||
--type | image | Type of the image to analyze. Can be one of:
|
Examples
Display the list of packages
$ docker scout sbom --format list alpine
Only display packages of a specific type
$ docker scout sbom --format list --only-package-type apk alpine
Display the full SBOM as json
$ docker scout sbom alpine
Display the full SBOM of the most recently buitl image
$ docker scout sbom
Write SBOM to a file
$ docker scout sbom --output alpine.sbom alpine
Early Access
Docker Scout secures the complete software supply chain by providing image analysis, real-time vulnerability identification, contextual remediation recommendations, and more. Now available in early access.
Learn more on the Docker Scout product pageopen_in_new.