![]() Pass a glob expression to the -exclude flag to filter out particular paths. Sometimes you might want to exclude specific directories to stop some packages showing in the output. Scans usually look at everything in the image’s filesystem. spdx-tag-value/ spdx-json – Compatible with the SPDX standard for expressing SBOMs, which is defined by the Linux Foundation.github-0-json – A GitHub-compatible report format.cyclonedx-xml/ cyclonedx-json – Produce a CycloneDX standards-compatible report as XML or JSON.syft-json – Output a report in Syft’s native JSON format.These are better choices when you want to consume SBOM data programmatically using third-party tools. Several other formats are supported too, each of which can be activated using the -format flag. This is ideal for distribution alongside your image or as part of your documentation. Output is displayed as a human-readable table by default. When a major vulnerability is reported, you can consult the image’s SBOM to quickly check whether you’re affected. You can use this information to accurately audit your container images and discover software they rely on. The type of each detected package is displayed in the command’s output, next to its name and precise version. Syft is capable of identifying operating system packages and programming language dependencies. Its output matches what a standalone Syft installation would produce. ![]() The active Syft version is shown each time you use the command. ![]() ![]() Under the hood, Docker uses the popular Syft SBOM generator to scan and index the image. The image’s content is then indexed and a package list displayed in your terminal. The CLI will pull the specified image if it doesn’t already exist on your system. Now you can generate the SBOM for a Docker image by passing its tag to the command: $ docker sbom nginx:latest
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |