Generate or display SBOM of an image
| Name | Type | Default | Description |
|---|---|---|---|
--format |
string |
json |
Output format: - list: list of packages of the image - json: json representation of the SBOM |
--only-package-type |
stringSlice |
Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) Can only be used with --format list |
|
-o, --output |
string |
Write the report to a file. | |
--platform |
string |
Platform of image to analyze | |
--ref |
string |
Reference to use if the provided tarball contains multiple references. Can only be used with --type archive. |
|
--type |
string |
image |
Type of the image to analyze. Can be one of: - image - oci-dir - archive (docker save tarball) |
The docker scout sbom command analyzes a software artifact to generate the corresponding Software Bill Of Materials (SBOM).
The SBOM can be used to list all packages, or the ones from a specific type (as dep, maven, etc).
If no image is specified, the most recently built image will be used.
The following artifact types are supported:
- Images
- OCI layout directories
- Tarball archives, as created by
docker save
The tool analyzes the provided software artifact, and generates a vulnerability report.
By default, the tool expects an image reference, such as:
rediscurlimages/curl:7.87.0mcr.microsoft.com/dotnet/runtime:7.0
If the artifact you want to analyze is an OCI directory or a tarball archive, you must use the --type flag.
$ docker scout sbom --format list alpine $ docker scout sbom --format list --only-package-type apk alpine$ docker scout sbom alpine$ docker scout sbom$ docker scout sbom --output alpine.sbom alpine