SBOM Attestation Example

$ docker buildx build --attest type=sbom,generator=<image> . ``` > [!TIP] > > The Docker Scout SBOM generator is available. See > [Docker Scout SBOMs](/manuals/scout/how-tos/view-create-sboms.md). ## SBOM attestation example The following JSON example shows what an SBOM attestation might look like. ```json { "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://spdx.dev/Document", "subject": [ { "name": "pkg:docker/<registry>/<image>@<tag/digest>?platform=<platform>", "digest": { "sha256": "e8275b2b76280af67e26f068e5d585eb905f8dfd2f1918b3229db98133cb4862" } } ], "predicate": { "SPDXID": "SPDXRef-DOCUMENT", "creationInfo": { "created": "2022-12-16T15:27:25.517047753Z", "creators": ["Organization: Anchore, Inc", "Tool: syft-v0.60.3"], "licenseListVersion": "3.18" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://anchore.com/syft/dir/run/src/core/sbom-cba61a72-fa95-4b60-b63f-03169eac25ca", "name": "/run/src/core/sbom", "packages": [ { "SPDXID": "SPDXRef-b074348b8f56ea64", "downloadLocation": "NOASSERTION", "externalRefs": [ { "referenceCategory": "SECURITY", "referenceLocator": "cpe:2.3:a:org:repo:\$devel\$:*:*:*:*:*:*:*", "referenceType": "cpe23Type" }, { "referenceCategory": "PACKAGE_MANAGER", "referenceLocator": "pkg:golang/github.com/org/repo@(devel)", "referenceType": "purl" } ], "filesAnalyzed": false, "licenseConcluded": "NONE", "licenseDeclared": "NONE", "name": "github.com/org/repo", "sourceInfo": "acquired package info from go module information: bin/server", "versionInfo": "(devel)" }, { "SPDXID": "SPDXRef-1b96f57f8fed62d8", "checksums": [ { "algorithm": "SHA256", "checksumValue": "0c13f1f3c1636491f716c2027c301f21f9dbed7c4a2185461ba94e3e58443408" } ], "downloadLocation": "NOASSERTION", "externalRefs": [ { "referenceCategory": "SECURITY", "referenceLocator": "cpe:2.3:a:go-chi:chi\\/v5:v5.0.0:*:*:*:*:*:*:*", "referenceType": "cpe23Type" }, { "referenceCategory": "SECURITY", "referenceLocator": "cpe:2.3:a:go_chi:chi\\/v5:v5.0.0:*:*:*:*:*:*:*", "referenceType": "cpe23Type" }, { "referenceCategory": "SECURITY", "referenceLocator": "cpe:2.3:a:go:chi\\/v5:v5.0.0:*:*:*:*:*:*:*", "referenceType": "cpe23Type" }, { "referenceCategory": "PACKAGE_MANAGER", "referenceLocator": "pkg:golang/github.com/go-chi/chi/v5@v5.0.0", "referenceType": "purl" } ], "filesAnalyzed": false, "licenseConcluded": "NONE", "licenseDeclared": "NONE", "name": "github.com/go-chi/chi/v5", "sourceInfo": "acquired package info from go module information: bin/server", "versionInfo": "v5.0.0" } ], "relationships": [ { "relatedSpdxElement": "SPDXRef-1b96f57f8fed62d8", "relationshipType": "CONTAINS", "spdxElementId": "SPDXRef-043f7360d3c66bc31ba45388f16423aa58693289126421b71d884145f8837fe1" }, { "relatedSpdxElement": "SPDXRef-b074348b8f56ea64", "relationshipType": "CONTAINS", "spdxElementId": "SPDXRef-043f7360d3c66bc31ba45388f16423aa58693289126421b71d884145f8837fe1" } ], "spdxVersion": "SPDX-2.2" } } ```

A JSON example showing the structure of an SBOM attestation. It includes the type, predicateType (SPDX document), subject (package name and digest), and predicate, which contains SPDX details such as creation info, data license, document namespace, package information (name, version, external references, licenses), relationships between packages, and the SPDX version.