Docker SBOM: Keeping a Check on Security Risks

Understand SBOM and how Docker SBOM generates a list of software of the container images to prevent any threat.

The Log4j vulnerability and SolarWinds supply chain attack have made us realize that software supply chains are at great risk of being targeted by attackers. The Docker SBOM helps detect these risks.

Software supply chain security comprises everything required to build, deliver and run software anywhere with confidence. It ensures that not only software but the infrastructure, operating systems, source code repositories, registries, developers who wrote it, and the cloud services it uses don’t pose any threats.

The Software Bill of Materials (SBOM) has emerged as the first step to ensure software security.

What is SBOM and how does it help businesses?

An SBOM(Software Bill of Materials) is a list of software components that build the software product. It details the software package, content, license, and certificate information, just like packaged food items contain ingredients and other information.

SBOMs help organizations know and keep track of all software components along with other details, such as:

  • Determining all the runtime dependencies of the software.
  • Keeping track of critical updates and patches.
  • Reducing supply chain attacks and ensuring the organization doesn’t use vulnerable components.
  • Detecting license and certificate-related issues.

The National Telecommunications and Information Administration (NTIA) has listed the minimum requirements for the SBOM, which are:

  • Software supplier and author of SBOM.
  • Information about software vendors.
  • Software component name and its version.
  • Unique identifier for each component.
  • Relationship of the component with other components and packages.
  • Timestamp of SBOM creation.

SBOM standards

To make organizations adopt SBOM quickly, several standards have been defined for generating them. A defined schema provides a format for listing software components, and the most widely used are Software Package Data Exchange (SPDX) and CycloneDX.


SPDX is an SBOM format developed by the Linux Foundation. It shows relationships between software components, licenses, and copyrights associated with the software. It can be stored in different file formats, such as SPDX and JSON. It defines three elements: documents (metadata about the SBOM), packages (groups of elements), and files (single files).


This lightweight SBOM standard is maintained by the OWASP community and built on top of SPDX. It gives security-related information such as supplier, manufacturer, target components, etc. It can be stored in different file formats, such as XML and JSON. It gets divided into components, services, and dependencies.

Docker, too, has recently introduced an SBOM format for container images. It has announced the docker sbom CLI command in Docker Desktop 4.7.0 as a CLI plugin, which lists all the components of the container image. It is an experimental functionality for now, which has been developed as an open-source collaboration with Anchore through the Syft tool.

Syft is a tool for generating SBOMs from container images and file systems. It can convert SBOMs to different formats.

Installation of the Docker CLI plugin

  • As a pre-requisite, Docker/Docker Desktop must be installed on your system. Upgrade the Docker desktop if its version is less than 4.7.0.
apt update && apt install -y

Note: If you are using Docker as a CLI tool, then before installing docker sbom create a /root/.docker directory. More information can be found at

mkdir -p /root/.docker/cli-plugins
  • Install the docker sbom plugin.
curl -sSfL | sh -s --
  • Check its version and verify installation:
docker sbom version

Different Docker SBOM commands

  • To check all options related to docker sbom
docker sbom --help
  • To list the software components of an NGINX Docker image
docker sbom nginx:latest

By default, the output will be in a table format. From the output given below, it can be inferred that the first image is pulled if not present locally, then it’s loaded and processed further, and then the software elements get listed along with its version and package type.

Figure 1: Listing Software Packages of NGINX Docker Image
  • To list the software components of a particular Node.js application, type:
docker sbom oshi36/nodeapp_test:latest

One will get the similar output as shown below

docker sbom oshi36/nodeapp_test:latest
Syft v0.46.3
 ✔ Pulled image            
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [569 packages]
NAME                              VERSION      TYPE 
JSONStream                        1.3.5        npm   
abbrev                            1.1.1        npm   
accepts                           1.3.8        npm   
agent-base                        4.2.1        npm   
agent-base                        4.3.0        npm   
agentkeepalive                    3.5.2        npm   
ajv                               5.5.2        npm   
alpine-baselayout                 3.2.0-r3     apk   
alpine-keys                       2.1-r2       apk   
ansi-align                        2.0.0        npm   
ansi-regex                        2.1.1        npm   
ansi-regex                        3.0.0        npm   
ansi-styles                       3.2.1        npm   
ansicolors                        0.3.2        npm   
ansistyles                        0.1.3        npm   
apk-tools                         2.10.5-r0    apk   
aproba                            1.2.0        npm   
aproba                            2.0.0        npm   
archy                             1.0.0        npm   
are-we-there-yet                  1.1.4        npm   
array-flatten                     1.1.1        npm   
asap                              2.0.6        npm   
asn1                              0.2.4        npm   
assert-plus                       1.0.0        npm   
asynckit                          0.4.0        npm   
aws-sign2                         0.7.0        npm   
aws4                              1.8.0        npm   
balanced-match                    1.0.0        npm   
bcrypt-pbkdf                      1.0.2        npm   
bin-links                         1.1.7        npm   
bluebird                          3.5.5        npm   
body-parser                       1.20.1       npm   
boxen                             1.3.0        npm
  • To write the SBOM report to a file, use the output flag:
docker sbom oshi36/nodeapp_test:latest --output nodeapp_report

Open the output file nodeapp_report

cat nodeapp_report
  • To skip paths from docker sbom to scan, use the exclude flag
docker sbom oshi36/nodeapp_test:latest --exclude /usr/local

From the output given below, it can be seen that docker sbom leaves the elements to be scanned at the /usr/local location.

  • To get the SBOM of platform-specific container images such as linux/arm64, arm64, etc, use the platform flag:
docker sbom nginx:alpine --platform linux/arm64
  • To get the SBOM report in different SBOM formats such as spdx-jsoncyclonedx-jsonsyft-json, etc, use the format flag:
docker sbom oshi36/nodeapp_test:latest --format spdx-json

In this format, a unique identifier SPDXID is provided for each package and file, along with information about the license. One will get similar output as shown below.

 "name": "oshi36/nodeapp_test-latest",
 "spdxVersion": "SPDX-2.2",
 "creationInfo": {
  "created": "2023-08-14T08:55:44.992806046Z",
  "creators": [
   "Organization: Anchore, Inc",
   "Tool: syft-v0.46.3"
  "licenseListVersion": "3.17"
 "dataLicense": "CC0-1.0",
 "documentNamespace": "",
 "packages": [
   "SPDXID": "SPDXRef-2a0a99c2a38a6407",
   "name": "JSONStream",
   "licenseConcluded": "NOASSERTION",
   "downloadLocation": "git://",
   "externalRefs": [
     "referenceCategory": "SECURITY",
     "referenceLocator": "cpe:2.3:a:JSONStream:JSONStream:1.3.5:*:*:*:*:*:*:*",
     "referenceType": "cpe23Type"
     "referenceCategory": "SECURITY",
     "referenceLocator": "cpe:2.3:a:*:JSONStream:1.3.5:*:*:*:*:*:*:*",
     "referenceType": "cpe23Type"
     "referenceCategory": "PACKAGE_MANAGER",
     "referenceLocator": "pkg:npm/JSONStream@1.3.5",
     "referenceType": "purl"
   "filesAnalyzed": false,
   "homepage": "",
   "licenseDeclared": "NOASSERTION",
   "originator": "Person: Dominic Tarr <> (",
   "sourceInfo": "acquired package info from installed node module manifest file: /usr/local/lib/node_modules/npm/node_modules/JSONStream/package.json",
   "versionInfo": "1.3.5"
docker sbom oshi36/nodeapp_test:latest --format cyclonedx-json

This format has details about the supplier, manufacturer, and BOM creation tools, along with the component type and its version in the hash. One will get similar output as shown below.

  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:485ca879-9cf8-4dd0-a3ba-30837b144e43",
  "version": 1,
  "metadata": {
    "timestamp": "2023-08-14T08:58:11Z",
    "tools": [
        "vendor": "anchore",
        "name": "syft",
        "version": "v0.46.3"
    "component": {
      "bom-ref": "ca3081e98a696b2a",
      "type": "container",
      "name": "oshi36/nodeapp_test:latest",
      "version": "sha256:f5b479b7050956bdfcea3f1af9000a85dc0dd358ee674a2b29ebfb0ed3a846bd"
  "components": [
      "bom-ref": "pkg:npm/JSONStream@1.3.5?package-id=2a0a99c2a38a6407",
      "type": "library",
      "author": "Dominic Tarr \\u003e (",
      "name": "JSONStream",
      "version": "1.3.5",
      "cpe": "cpe:2.3:a:JSONStream:JSONStream:1.3.5:*:*:*:*:*:*:*",
      "purl": "pkg:npm/JSONStream@1.3.5",
      "externalReferences": [
          "url": "git://",
          "type": "distribution"
          "url": "",
          "type": "website"
docker sbom oshi36/nodeapp_test:latest --format syft-json

It outputs the SBOM report in Syft’s native JSON format. One will get similar output as shown below.

 "artifacts": [
   "id": "2a0a99c2a38a6407",
   "name": "JSONStream",
   "version": "1.3.5",
   "type": "npm",
   "foundBy": "javascript-package-cataloger",
   "locations": [
     "path": "/usr/local/lib/node_modules/npm/node_modules/JSONStream/package.json",
     "layerID": "sha256:8ca4f4055a7095ff1807ce521287ae7bdd91aa711ae45d5b0f3d1c45ab0adefe"
   "licenses": [
    "(MIT OR Apache-2.0)"
   "language": "javascript",
   "cpes": [
   "purl": "pkg:npm/JSONStream@1.3.5",
   "metadataType": "NpmPackageJsonMetadata",
   "metadata": {
    "name": "JSONStream",
    "version": "1.3.5",
    "author": "Dominic Tarr <> (",
    "licenses": [
     "(MIT OR Apache-2.0)"
    "homepage": "",
    "description": "",
    "url": "git://"

Log4j 2 vulnerability use case

Log4j 2 is a logging library by Apache and its vulnerability CVE-2021-44228 allows remote code execution from a context that is easily available to an attacker. This vulnerability has been found in Minecraft servers. It allows commands to be typed in chat logs and then sent to the logger.

Currently, CVE-2021-44228 impacts all versions of Log4j 2.x <= 2.14.1. If the container image has Log4j, then docker sbom can help in finding out its version and deciding whether it’s vulnerable or not.

  • To list the components of jboss/wildfly application server and find whether its Log4j version is vulnerable or not.
docker sbom jboss/wildfly| grep log4j

From the output given below it can be seen clearly that Log4j is vulnerable to CVE-2021-44228 due to its version.

Figure 2: Checking Log4j version for CVE


To sum up, docker sbom helps in generating the SBOM for the container image, which helps identify and solve any dependency issues.

Join Our Newsletter

Share this article:

Table of Contents