Container Transparency using SBOM Observer
Creating an SBOM from a Docker Container
In this video, we explore the process of creating a Software Bill of Materials (SBOM) from a docker container, highlighting the ease of this process using specific tools and demonstrate how to identify vulnerabilities within the container.
Introduction
If you rather read, below are the steps to produce an SBOM from an docker container from the video explained.
Using Free Open Source SCA tools together with SBOM Observer
In this process we'll use a SCA tool to create an SBOM (Software Bill of Material) of the CycloneDX format and then use SBOM Observer to analyse and identify issues within the Docker container.
Tools and Techniques
Trivy
Trivy is an open source SCA tool used in this video to produce an SBOM in CycloneDX format. Trivy by Aqua Security provides detailed information when scanning Docker Containers.
One-liner Command
The one-liner used in video produces an SBOM from any Docker container.
Trivy one-liner
(Make sure to create the output directory first)
# docker run -v ./output:/output aquasec/trivy image -q --scanners vuln --format cyclonedx --output /output/result.cdx <DOCKER-IMAGE:TAG>
Analyzing Vulnerabilities
Once created, the SBOM is uploaded to SBOM Observer using "Upload Attestation" in the "Attestations" section. Immediately displaying what components that have been discovered and highlighting found vulnerabilities.
Detailed Container Information
SBOM Observer provides a rich view of how the analysed docker container is constructed and on which layer components, vulnerabilities and policy violations are discovered.
Detailed Vulnerability Analysis
A deeper dive into the vulnerabilities found, focusing on critical issues and how to analyze them in detail.
In just a couple of minutes you can have a detailed analysis of any docker container using the steps above. Modern tools such as SBOM Observer provides robust workflows when identifying vulnerabilities and ensuring container security. Try it out in our free live demo