Home Explore Blog CI



docker
3rd chunk of `content/manuals/build/metadata/attestations/sbom.md`
ecffb8144fbba2239fcc1108a15b124215e0e5f5e33600400000000100000ac6
$ ls -1 out | grep sbom
sbom-hugo.spdx.json
sbom.spdx.json
```

## Inspecting SBOMs

To explore created SBOMs exported through the `image` exporter, you can use
[`imagetools inspect`](/reference/cli/docker/buildx/imagetools/inspect.md).

Using the `--format` option, you can specify a template for the output. All
SBOM-related data is available under the `.SBOM` attribute. For example, to get
the raw contents of an SBOM in SPDX format:

```console
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
    --format "{{ json .SBOM.SPDX }}"
{
  "SPDXID": "SPDXRef-DOCUMENT",
  ...
}
```

> [!TIP]
>
> If the image is multi-platform, you can check the SBOM for a platform-specific index using `--format '{{ json (index .SBOM "linux/amd64").SPDX }}'`.

You can also construct more complex expressions using the full functionality
of Go templates. For example, you can list all the installed packages and their
version identifiers:

```console
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
    --format "{{ range .SBOM.SPDX.packages }}{{ .name }}@{{ .versionInfo }}{{ println }}{{ end }}"
adduser@3.118ubuntu2
apt@2.0.9
base-files@11ubuntu5.6
base-passwd@3.5.47
...
```

## SBOM generator

BuildKit generates the SBOM using a scanner plugin. By default, it uses is the
[BuildKit Syft scanner](https://github.com/docker/buildkit-syft-scanner)
plugin. This plugin is built on top of
[Anchore's Syft](https://github.com/anchore/syft),
an open source tool for generating an SBOM.

You can select a different plugin to use with the `generator` option, specifying
an image that implements the
[BuildKit SBOM scanner protocol](https://github.com/moby/buildkit/blob/master/docs/attestations/sbom-protocol.md).

```console
$ docker buildx build --attest type=sbom,generator=<image> .
```

> [!TIP]
>
> The Docker Scout SBOM generator is available. See
> [Docker Scout SBOMs](/manuals/scout/how-tos/view-create-sboms.md).

## SBOM attestation example

The following JSON example shows what an SBOM attestation might look like.

```json
{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://spdx.dev/Document",
  "subject": [
    {
      "name": "pkg:docker/<registry>/<image>@<tag/digest>?platform=<platform>",
      "digest": {
        "sha256": "e8275b2b76280af67e26f068e5d585eb905f8dfd2f1918b3229db98133cb4862"
      }
    }
  ],
  "predicate": {
    "SPDXID": "SPDXRef-DOCUMENT",
    "creationInfo": {
      "created": "2022-12-16T15:27:25.517047753Z",
      "creators": ["Organization: Anchore, Inc", "Tool: syft-v0.60.3"],
      "licenseListVersion": "3.18"
    },
    "dataLicense": "CC0-1.0",
    "documentNamespace": "https://anchore.com/syft/dir/run/src/core/sbom-cba61a72-fa95-4b60-b63f-03169eac25ca",
Title: Inspecting SBOMs, SBOM Generator, and SBOM Attestation Example
Summary
The `imagetools inspect` command and the `--format` option can be used to check the contents of SBOMs exported via the `image` exporter, including extracting raw SPDX data or listing installed packages with their versions. The SBOM is generated using a scanner plugin, defaulting to the BuildKit Syft scanner, which is built on Anchore's Syft. A different plugin can be specified using the `generator` option with a custom image. Finally, a JSON example of what an SBOM attestation may look like is provided.