This repository contains the Dockerfile and scripts to build a container image that facilitates generating and uploading Software Bill of Materials (SBOM) to SBOM.sh utilizing various open-source SBOM tools such as Trivy, Grype, and Syft.
You can pull the ready-made container image from Docker Hub:
docker pull codenotary/sbom.sh- Generate SBOM for filesystems, container images, and local SBOM files.
- Upload SBOM to SBOM.sh and obtain a shareable URL.
- Optionally, trigger vulnerability scan and SBOM score calculation at SBOM.sh.
git clone https://github.com/your-username/sbom-sh-container.git
cd sbom-sh-container
docker build -t sbom.sh:latest .docker run -v $(pwd):/app -it sbom.sh:latest trivyfsdocker run -it sbom.sh:latest trivyimage [vulnscan] image-namedocker run -v $(pwd):/app -it sbom.sh:latest sendsbom sbom-file-name # SBOM file in the mapped app folder- Make sure to map your local directory to
/appin the container using the-vflag. - The
vulnscanflag is optional and is used to trigger a vulnerability scan and SBOM score calculation at SBOM.sh.
trivyfs: Scan the filesystem mapped to/appin the container using Trivy.trivyimage: Scan a specified container image using Trivy.grypefs: Scan the filesystem mapped to/appin the container using Grype.grypeimage: Scan a specified container image using Grype.syftfs: Scan the filesystem mapped to/appin the container using Syft.syftimage: Scan a specified container image using Syft.sendsbom: Send a local SBOM file to sbom.sh.
For each command, a URL to the generated SBOM on SBOM.sh is outputted to the terminal. If the vulnscan flag is specified (where applicable), additional vulnerability scanning and SBOM score calculation are triggered at sbom.sh.
Feel free to open issues or PRs if you have suggestions for improvements or additions to this container image.