SBOM Generation

Software Bill of Materials for complete dependency visibility and compliance.

What is an SBOM?

A Software Bill of Materials (SBOM) is a complete inventory of all components, libraries, and dependencies in your container image. It enables vulnerability tracking, license compliance, and supply chain transparency.

Supported Formats

ImageSentinel generates SBOMs in industry-standard formats:

SPDX

ISO/IEC 5962:2021 standard. Widely adopted for license compliance and government requirements.

CycloneDX

OWASP standard optimized for security use cases. Includes VEX support for vulnerability status.

Generating SBOMs

Generate an SBOM for any image using the CLI:

terminal

# Generate SPDX SBOM
imagesentinel sbom myapp:latest --format spdx --output sbom.spdx.json

# Generate CycloneDX SBOM
imagesentinel sbom myapp:latest --format cyclonedx --output sbom.cdx.json

# Output to stdout
imagesentinel sbom myapp:latest --format spdx

Example SBOM Output

sbom.spdx.json

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "imagesentinel/python:3.12-hardened",
  "packages": [
    {
      "SPDXID": "SPDXRef-Package-python",
      "name": "python",
      "versionInfo": "3.12.1",
      "supplier": "Organization: ImageSentinel",
      "downloadLocation": "https://www.python.org",
      "checksums": [
        {
          "algorithm": "SHA256",
          "checksumValue": "a1b2c3d4e5f6..."
        }
      ],
      "licenseConcluded": "PSF-2.0"
    }
  ],
  "relationships": [
    {
      "spdxElementId": "SPDXRef-DOCUMENT",
      "relatedSpdxElement": "SPDXRef-Package-python",
      "relationshipType": "DESCRIBES"
    }
  ]
}

Attached SBOMs

All ImageSentinel images include SBOMs as OCI attestations:

terminal

# Download SBOM attached to an image
cosign download sbom registry.imagesentinel.io/python:3.12-hardened

# Verify and download SBOM
cosign verify-attestation \
  --type spdxjson \
  registry.imagesentinel.io/python:3.12-hardened