SBOM Support and Generation @ chainguard-dev/apko

SBOM Support and Generation

Overview

The apko project provides support for generating Software Bill of Materials (SBOMs) for built images. This documentation outlines the different SBOM formats supported and how to generate them.

Supported SBOM Formats

The apko project currently supports the following SBOM formats:

CycloneDX: https://cyclonedx.org/
SPDX: https://spdx.org/

Generating SBOMs

To generate an SBOM for an image, use the --sbom flag with the apko build command.

Example (CycloneDX):

apko build --sbom cyclone --output sbom.xml my-image.apko

This command will build the image my-image.apko and generate a CycloneDX SBOM in XML format, saving it to the file sbom.xml.

Example (SPDX):

apko build --sbom spdx --output sbom.json my-image.apko

This command will build the image my-image.apko and generate an SPDX SBOM in JSON format, saving it to the file sbom.json.

Options

--sbom: Specifies the format of the SBOM to be generated. Valid options are cyclone and spdx.

--output: Specifies the output file for the generated SBOM.

Further Information

For more information about SBOMs and the apko project, please refer to the following resources:

apko Documentation: https://github.com/chainguard-dev/apko/
CycloneDX: https://cyclonedx.org/
SPDX: https://spdx.org/