docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

scout: refresh sbom page 

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
This commit is contained in:
David Karlsson 2024-02-14 18:28:47 +01:00
parent 824f9ffe38
commit 98d2e10269
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
content/scout/sbom.md
View File

@ -4,9 +4,9 @@ description: Use Docker Scout to extract the SBOM for your project.
keywords: scout, supply chain, sbom, software bill of material, spdx
---
As part of [image analysis](./image-analysis.md), Docker Scout generates a
Software Bill of Material (SBOM) for your project. The SBOM uses the Software
Package Data Exchange (SPDX) format.
[Image analysis](./image-analysis.md) uses image SBOMs to understand what packages and versions an image contains.
Docker Scout uses SBOM attestations if available on the image (recommended).
If no SBOM attestation is available, Docker Scout creates one by indexing the image contents.
## View from CLI
@ -18,14 +18,14 @@ $ docker scout sbom [IMAGE]
```
By default, this prints the SBOM in a JSON format to stdout.
The default JSON format produced by `docker scout sbom` isn't SPDX-JSON.
To output SPDX, use the `--format spdx` flag:
> **Note**
>
> The JSON format produced by `docker scout sbom` isn't SPDX-JSON. To generate
> SPDX, use the SBOM generator plugin for BuildKit, see [Attach the SBOM as a
> build attestation](#attest).
```console
$ docker scout sbom --format spdx [IMAGE]
```
Use the `--format list` flag to generate a human-readable output.
To generate a human-readable list, use the `--format list` flag:
```console
$ docker scout sbom --format list alpine
@ -60,10 +60,11 @@ reference](../reference/cli/docker/scout/sbom.md).
You can generate the SBOM and attach it to the image at build-time as an
[attestation](../build/attestations/_index.md). BuildKit provides a default
SBOM generator which is different from what Docker Scout uses. You can swap out
the default generator and replace it with the Docker Scout SBOM generator,
which creates richer results and ensures better compatibility with the Docker
Scout image analysis.
SBOM generator which is different from what Docker Scout uses.
You can configure BuildKit to use the Docker Scout SBOM generator
using the `--attest` flag for the `docker build` command.
The Docker Scout SBOM indexer provides richer results
and ensures better compatibility with the Docker Scout image analysis.
```console
$ docker build --tag <org>/<image> \
@ -71,8 +72,7 @@ $ docker build --tag <org>/<image> \
--push .
```
The default, non-containerd image store doesn't currently support images with
attestations. To build images with SBOM attestations, you can either turn on
To build images with SBOM attestations, you must either turn on
the [containerd image store](../desktop/containerd.md) feature, or use a
`docker-container` builder together with the `--push` flag to push the image
(with attestations) directly to a registry.