Container Transparency using SBOM Observer

Creating an SBOM from a Docker Container

In this video, we explore the process of creating a Software Bill of Materials (SBOM) from a docker container, highlighting the ease of this process using specific tools and demonstrate how to identify vulnerabilities within the container.

Introduction

If you rather read, below are the steps to produce an SBOM from an docker container from the video explained.

Using Free Open Source SCA tools together with SBOM Observer

In this process we'll use a SCA tool to create an SBOM (Software Bill of Material) of the CycloneDX format and then use SBOM Observer to analyse and identify issues within the Docker container.

Tools and Techniques

Trivy

Trivy is an open source SCA tool used in this video to produce an SBOM in CycloneDX format. Trivy by Aqua Security provides detailed information when scanning Docker Containers.

One-liner Command

The one-liner used in video produces an SBOM from any Docker container.

Analyzing Vulnerabilities

Once created, the SBOM is uploaded to SBOM Observer using "Upload Attestation" in the "Attestations" section. Immediately displaying what components that have been discovered and highlighting found vulnerabilities.

Detailed Container Information

SBOM Observer provides a rich view of how the analysed docker container is constructed and on which layer components, vulnerabilities and policy violations are discovered.

Detailed Vulnerability Analysis

A deeper dive into the vulnerabilities found, focusing on critical issues and how to analyze them in detail.

In just a couple of minutes you can have a detailed analysis of any docker container using the steps above. Modern tools such as SBOM Observer provides robust workflows when identifying vulnerabilities and ensuring container security. Try it out in our free live demo