{"id":4404,"date":"2026-06-23T17:13:33","date_gmt":"2026-06-23T17:13:33","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/23\/what-is-an-sbom-and-why-cant-you-ship-without-one\/"},"modified":"2026-06-23T17:13:33","modified_gmt":"2026-06-23T17:13:33","slug":"what-is-an-sbom-and-why-cant-you-ship-without-one","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/23\/what-is-an-sbom-and-why-cant-you-ship-without-one\/","title":{"rendered":"What is an SBOM (and Why Can\u2019t You Ship Without One)?"},"content":{"rendered":"<p>In <a href=\"https:\/\/www.docker.com\/resources\/software-supply-chain-security-report\/\" target=\"_blank\" rel=\"noreferrer noopener\">Omdia\u2019s 2026 software supply chain security report<\/a>, 73% of organizations that generate SBOMs say they enable more efficient vulnerability mitigation, yet 86% still find the generation process challenging. That gap between recognized value and operational difficulty is where most teams are stuck. For teams <a href=\"https:\/\/www.docker.com\/blog\/container-security-and-why-it-matters\/\" target=\"_blank\" rel=\"noreferrer noopener\">building and securing containerized applications<\/a>, understanding what an SBOM is, and how to make it useful, is no longer optional.<\/p>\n<p>This guide covers what SBOMs contain, why they matter for <a href=\"https:\/\/www.docker.com\/blog\/what-is-software-supply-chain-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">software supply chain security<\/a>, how standard formats and tooling work, and where the industry is headed with regulations and enforcement.<\/p>\n<div class=\"wp-block-ponyo-zeta organism toc-exclude\">\n<blockquote class=\"container\">\n<h2 class=\"wp-block-ponyo-heading text-lg\">\n        Key takeaways<br \/>\n    <\/h2>\n<ul class=\"wp-block-list\">\n<li>An SBOM is a machine-readable inventory of every component inside a software artifact.<\/li>\n<li>SBOMs gain real value when paired with provenance attestations and cryptographic signatures.<\/li>\n<li>Generating SBOMs at image build time captures the full dependency tree, including OS packages.<\/li>\n<li>Regulatory mandates (EO 14028, CISA guidance, EU CRA) are making SBOMs a procurement baseline.<\/li>\n<\/ul>\n<\/blockquote>\n<\/div>\n<h2 class=\"wp-block-heading\">What is an SBOM?<\/h2>\n<p>Every software artifact ships with dependencies. A container image based on Alpine Linux might include dozens of system packages, each with its own version, license, and upstream maintainer. An application layer on top adds frameworks, libraries, and transitive dependencies that the developer may never have explicitly chosen. The deeper the stack, the harder it becomes to answer a basic question: what is actually running in production?<\/p>\n<p>A software bill of materials answers that question. It\u2019s a structured, machine-readable inventory of every component, library, and module inside a software artifact. Where a package manifest like <em>package.json<\/em> or <em>requirements.txt<\/em> lists declared dependencies, an SBOM captures the resolved dependency tree after the build, including transitive dependencies, system-level packages, and metadata about each component\u2019s origin, version, and license. Think of it as a nutrition label for software.<\/p>\n<div class=\"wp-block-ponyo-image\">\n                <img data-opt-id=607667339  fetchpriority=\"high\" decoding=\"async\" width=\"2320\" height=\"1218\" src=\"https:\/\/www.docker.com\/app\/uploads\/2026\/06\/docker_anatomy-of-an-sbom-2320x1218.jpg\" class=\"fade-in\" alt=\"docker anatomy of an sbom\" title=\"- docker anatomy of an sbom\" \/>\n        <\/div>\n<h2 class=\"wp-block-heading\">What an SBOM contains<\/h2>\n<p>A well-formed SBOM includes several categories of metadata for each component:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Component identity: <\/strong>Package name, version, and supplier (e.g., openssl 3.1.4, maintained by the OpenSSL Project)<\/li>\n<li><strong>Licensing: <\/strong>The license type governing redistribution and use (MIT, Apache 2.0, GPL)<\/li>\n<li><strong>Dependency relationships: <\/strong>How components depend on each other, including direct and transitive dependencies<\/li>\n<li><strong>Unique identifiers: <\/strong>Package URLs (purl) or SWID tags that enable cross-referencing against vulnerability databases<\/li>\n<li><strong>Checksums and digests: <\/strong>Cryptographic hashes that let consumers verify the component has not been tampered with<br \/>This data is structured using open standards, primarily <a href=\"https:\/\/spdx.dev\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">SPDX<\/a> or <a href=\"https:\/\/cyclonedx.org\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CycloneDX<\/a>, to keep it machine-readable and interoperable across tools, registries, and compliance workflows. In practice, an SPDX SBOM entry for a single package looks like this:<\/li>\n<\/ul>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: jscript; title: ; notranslate\">\n{\n  \"name\": \"openssl\",\n  \"SPDXID\": \"SPDXRef-Package-openssl\",\n  \"versionInfo\": \"3.1.4\",\n  \"supplier\": \"Organization: OpenSSL Project\",\n  \"licenseDeclared\": \"Apache-2.0\",\n  \"checksums\": [{ \"algorithm\": \"SHA256\", \"value\": \"a1b2c3...\" }]\n}\n<\/pre>\n<\/div>\n<p>A real SBOM contains one entry like this for every component in the artifact, from the base image\u2019s OS packages up through the application\u2019s runtime dependencies.<\/p>\n<h2 class=\"wp-block-heading\">Why SBOMs matter for software supply chain security<\/h2>\n<p>The value of an SBOM becomes clear the moment something goes wrong. When the Log4Shell vulnerability was disclosed in December 2021, organizations with current SBOMs could query their inventories and identify every affected image within minutes. Teams without them spent days manually tracing dependencies across registries and deployment manifests.<\/p>\n<p><a href=\"https:\/\/www.sonatype.com\/state-of-the-software-supply-chain\/introduction\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Sonatype\u2019s research<\/a> found that nearly 65% of open source CVEs lack an NVD-assigned CVSS score, and when scored independently, 46% turned out to be high or critical. Without an SBOM, those unscored vulnerabilities are invisible.<\/p>\n<h3 class=\"wp-block-heading\">Faster incident response<\/h3>\n<p>When a new CVE drops, the first question is always <em>where are we exposed?<\/em> An SBOM makes that question answerable in seconds rather than days. Cross-reference the affected package and version against your SBOM library, and you have an immediate blast radius. Pair the SBOM with <a href=\"https:\/\/www.docker.com\/products\/docker-scout\/\" target=\"_blank\" rel=\"noreferrer noopener\">continuous vulnerability scanning<\/a> and the process becomes automated: new CVEs are matched against existing SBOMs, and affected images are flagged without manual intervention.<\/p>\n<p><strong><em>Customer spotlight: <\/em><\/strong><a href=\"https:\/\/www.docker.com\/customer-stories\/jwp\/\" target=\"_blank\" rel=\"noreferrer noopener\">JWP<\/a>, a video streaming platform serving more than 1 billion users, enabled vulnerability scanning across 400+ repositories in under an hour. With SBOMs feeding their scanning pipeline, the team fixed thousands of vulnerabilities while filtering out tens of thousands of non-critical issues, reducing noise and accelerating remediation.<\/p>\n<h3 class=\"wp-block-heading\">Regulatory compliance<\/h3>\n<p>SBOMs are moving from best practice to legal requirements. In the United States, <a href=\"https:\/\/www.nist.gov\/itl\/executive-order-14028-improving-nations-cybersecurity\/software-supply-chain-security-guidance-20\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Executive Order 14028<\/a> helped set SBOM requirements in motion for software sold to federal agencies. CISA\u2019s <a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/2025-minimum-elements-software-bill-materials-sbom\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">2025 Minimum Elements guidance<\/a> aims to clarify what a useful SBOM should include. The EU\u2019s Cyber Resilience Act (EU CRA) extends similar requirements to products sold in the European market. For organizations operating in regulated industries, finance, healthcare, defense, and critical infrastructure, SBOM delivery is becoming a procurement gate.<\/p>\n<h3 class=\"wp-block-heading\">Proactive verification, not reactive trust<\/h3>\n<p>SBOMs shift the security model from assuming software is safe to verifying that it is. Rather than trusting that a base image is clean because the registry says so, teams can inspect the SBOM to confirm which packages are present, which versions are running, and whether any known vulnerabilities apply.<\/p>\n<p>In practice, that means writing policies against SBOM data: no image ships if it contains a package from an unapproved supplier, no end-of-life component persists past a defined grace period, no image deploys without a matching SBOM attestation. These checks can run automatically in CI, turning the SBOM from a passive document into an active gate.<\/p>\n<p>When combined with provenance attestations and cryptographic signatures, the SBOM becomes one layer in a verifiable chain of custody from source to deployment. You\u2019re no longer taking the registry\u2019s word for it. You\u2019re cryptographically verifying it.<\/p>\n<h2 class=\"wp-block-heading\">SBOM formats and standards<\/h2>\n<p>For an SBOM to be useful across teams, tools, and organizations, it needs a shared language. Two open standards dominate the landscape, each designed for a different primary use case.<\/p>\n<h3 class=\"wp-block-heading\">SPDX (Software Package Data Exchange)<\/h3>\n<p>Developed by the Linux Foundation (ISO\/IEC 5962:2021), SPDX is the most widely adopted format for license compliance and open source auditing. It is also the format used by <a href=\"https:\/\/docs.docker.com\/build\/metadata\/attestations\/sbom\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">BuildKit\u2019s built-in SBOM generator<\/a>, which attaches an SPDX document as an attestation to the container image during the build.<\/p>\n<h3 class=\"wp-block-heading\">CycloneDX<\/h3>\n<p>Developed by the OWASP Foundation, CycloneDX is optimized for security workflows and DevSecOps pipelines. It includes fields for vulnerability metadata and dependency graphs, and integrates well with tools like OWASP Dependency-Track.<\/p>\n<h3 class=\"wp-block-heading\">SBOM Formats at a Glance<\/h3>\n<div class=\"wp-block-ponyo-table\" data-highlighted-columns=\"null\" data-highlighted-rows=\"null\">\n<table class=\"responsive-table\">\n<tbody class=\"wp-block-ponyo-table-body\" data-highlighted-columns=\"[]\" data-highlighted-rows=\"[0]\">\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell empty\">\n<\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>SPDX<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>CycloneDX<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Primary focus<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>License compliance, open source auditing<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Security, vulnerability management<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Governed by<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Linux Foundation (ISO\/IEC 5962:2021)<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>OWASP Foundation<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Format types<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>JSON, YAML, tag-value, RDF\/XML<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>JSON, XML, Protocol Buffers<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Best for<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Compliance, due diligence, audits<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>DevSecOps pipelines, CI\/CD integration<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Container ecosystem support<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Native in BuildKit attestations<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Also produced by tools like Syft and Trivy<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>If you\u2019re building container images, start with SPDX. It\u2019s the format BuildKit generates natively, so you get an SBOM as a build output with zero additional tooling. Your downstream scanning tools may prefer CycloneDX, and that\u2019s fine. The two formats are interoperable, and converters exist for moving between them. Let the build produce SPDX; let consumption tools handle conversion if they need it.<\/p>\n<div class=\"style-plain wp-block-ponyo-houston\">\n<div class=\"wp-block-ponyo-icon\">\n<\/div>\n<p><strong>SWID (Software Identification Tags)<\/strong>, a third format governed by ISO\/IEC 19770-2, is primarily used for IT asset management in enterprise and government procurement. But it has largely lost traction in cloud-native and container workflows.<\/p>\n<\/div>\n<h2 class=\"wp-block-heading\">How SBOMs fit into container workflows<\/h2>\n<p>In traditional software development, SBOMs are often generated after the fact, bolted on as a compliance artifact during release. Container workflows offer a better approach: generating the SBOM at build time, as a native output of the image build process.<\/p>\n<div class=\"wp-block-ponyo-image\">\n                <img data-opt-id=423954649  fetchpriority=\"high\" decoding=\"async\" width=\"2320\" height=\"1218\" src=\"https:\/\/www.docker.com\/app\/uploads\/2026\/06\/docker_sbom-lifecycle-in-a-container-pipeline-2320x1218.jpg\" class=\"fade-in\" alt=\"SBOMs are generated at runtime and consumed continuously through deployment and monitoring.\" title=\"- docker sbom lifecycle in a container pipeline\" \/>\n        <\/div>\n<h3 class=\"wp-block-heading\">Build-time generation<\/h3>\n<p>When you build a container image with BuildKit, the builder scans the final image filesystem and produces an SBOM that reflects what actually shipped, not just what was declared in the Dockerfile. Because it captures the resolved state after all build stages complete, it includes OS-level packages, application-level dependencies, and any files copied from external sources.<\/p>\n<p>Source-level SBOMs, generated from manifest files before the build, frequently miss transitive dependencies and system packages. An image-layer SBOM reflects reality.<\/p>\n<h3 class=\"wp-block-heading\">Attestation and provenance<\/h3>\n<p>An SBOM tells you what\u2019s in an image. <a href=\"https:\/\/docs.docker.com\/build\/metadata\/attestations\/slsa-provenance\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Provenance attestations<\/a> tell you how it was built: which builder, which source commit, which build platform. Together, they form a verifiable chain of evidence that auditors and policy engines can evaluate programmatically. This is the model described by <a href=\"https:\/\/slsa.dev\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">SLSA (Supply-chain Levels for Software Artifacts)<\/a>, where Build Level 3 requires hardened build platforms with non-falsifiable provenance. SLSA is the specification; <a href=\"https:\/\/in-toto.io\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">in-toto<\/a> is the attestation format it uses.<\/p>\n<p>The SBOM itself is attached to the image as an in-toto attestation using the SPDX predicate format. Provenance is attached the same way, so both travel with the image as verifiable, machine-readable metadata.<\/p>\n<h3 class=\"wp-block-heading\">Registry storage<\/h3>\n<p>Once the image and its attestations are built, they need to live somewhere consumers can access them. Pushing the image to an OCI-compliant registry keeps the SBOM co-located with the artifact it describes. This matters because an SBOM that lives in a separate system, a shared drive, a compliance portal, or a CI artifact bucket, will eventually drift out of sync with the image it was generated from. Co-location eliminates that gap: pull the image, and you pull its SBOM and provenance with it.<\/p>\n<h3 class=\"wp-block-heading\">Continuous scanning<\/h3>\n<p>With SBOMs attached to images and stored in a registry, they become inputs for continuous vulnerability monitoring. New CVEs are matched against the components listed in the SBOM without re-analyzing the image itself. Instead of re-scanning every image when a new vulnerability is disclosed, the scanner cross-references the SBOM inventory and flags affected images immediately.<\/p>\n<h3 class=\"wp-block-heading\">Policy enforcement<\/h3>\n<p>Scanning identifies risk. Enforcement acts on it. Policy engines can consume SBOM data to gate deployments based on rules the team defines: no image ships if it contains a package from an unapproved supplier, no end-of-life component persists past a defined grace period, no image deploys without a matching SBOM attestation.<\/p>\n<p>These checks run automatically in CI, turning the SBOM from a passive document into an active gate. You\u2019re no longer relying on manual review to catch a problematic dependency. The pipeline catches it before the image reaches production.<\/p>\n<h2 class=\"wp-block-heading\">SBOM maturity: Where does your organization stand?<\/h2>\n<p>SBOM adoption isn\u2019t binary. Most organizations fall somewhere on a spectrum from ad hoc to fully scaled. The following maturity model helps teams assess where they are and what to prioritize next.<\/p>\n<div class=\"wp-block-ponyo-table\" data-highlighted-columns=\"null\" data-highlighted-rows=\"null\">\n<table class=\"responsive-table\">\n<tbody class=\"wp-block-ponyo-table-body\" data-highlighted-columns=\"[]\" data-highlighted-rows=\"[0]\">\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Level<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Generation<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Storage<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Scanning<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Governance<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Ad hoc<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Manual, on request<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Local files or shared drives<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Occasional, tool-dependent<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>No formal policy<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Pilot<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Automated for 1\u20132 apps or services<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Alongside build artifacts<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Integrated into CI for pilot apps<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Basic policy drafted<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Production<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Automated for all new images<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Attached to images in OCI registries<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Continuous, with alerting<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Policies enforced in pipelines<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span><strong>Scaled<\/strong><\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>All images, including third-party ingestion<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Centralized SBOM management platform<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Continuous with policy gating<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>Cross-org governance, audit trails, supplier requirements<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Omdia\u2019s 2026 software supply chain security survey surfaced that more than half of the organizations generating SBOMs are only generating them on a case-by-case basis.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Common misconceptions about SBOMs<\/h2>\n<h3 class=\"wp-block-heading\">SBOMs are just a compliance checkbox<\/h3>\n<p>Teams that generate SBOMs solely to satisfy a procurement requirement are missing the operational value. SBOMs are most useful as a live data source for vulnerability management, incident response, and dependency tracking. A one-time SBOM generated for an audit and then filed away provides a false sense of coverage.<\/p>\n<h3 class=\"wp-block-heading\">They\u2019re the same as SCA<\/h3>\n<p>Software composition analysis (SCA) tools scan code or images for known vulnerabilities. An SBOM is the inventory that makes that scanning possible. SCA and SBOMs generally work together. The SBOM is the inventory, and SCA tools use that inventory, often generating their own, to check for known vulnerabilities. The distinction matters because scanning tends to be only as good as the inventory behind it.<\/p>\n<h3 class=\"wp-block-heading\">SBOMs are a one-time artifact<\/h3>\n<p>An SBOM is tied to a specific image digest. Every time you rebuild an image, the SBOM should be regenerated to reflect any dependency changes. Stale SBOMs create a gap between what you think is running and what\u2019s actually deployed. Automated build-time generation eliminates this drift.<\/p>\n<h3 class=\"wp-block-heading\">SBOMs substitute runtime security<\/h3>\n<p>SBOMs tell you what shipped. They do not tell you what\u2019s happening at runtime. An SBOM will not catch a zero-day that hasn\u2019t been disclosed yet, detect anomalous process behavior inside a running container, or verify that the application logic is correct. SBOMs are one layer in a defense-in-depth model: they handle inventory and composition. Runtime monitoring, network policies, and access controls handle the rest.<\/p>\n<h4 class=\"wp-block-heading\">What can go wrong without SBOMs<\/h4>\n<p>Let\u2019s say a zero-day vulnerability is disclosed in a widely used library. Without SBOMs, the security team starts a manual triage: checking Dockerfiles, querying registries, asking developers which versions they use. Hours pass. Some images are missed because the affected package is a transitive dependency three levels deep. By the time the blast radius is mapped, the vulnerability has been public for two days.<\/p>\n<p>With SBOMs attached to every image, the same triage takes minutes. Query the SBOM database for the affected package and version, get a list of every image that includes it, and prioritize remediation based on deployment context.<\/p>\n<h2 class=\"wp-block-heading\">Getting started with SBOMs<\/h2>\n<p>The most common mistake teams make is treating SBOM adoption as a large-scale transformation project that\u2019ll derail workflows. It doesn\u2019t need to be.<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Start with one image. <\/strong>Pick a production image and enable SBOM generation on the next build. With BuildKit, that is a single flag:<\/li>\n<\/ul>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: bash; title: ; notranslate\">\n\n<\/pre>\n<\/div>\n<div class=\"wp-block-ponyo-table\" data-highlighted-columns=\"null\" data-highlighted-rows=\"null\">\n<table class=\"responsive-table\">\n<tbody class=\"wp-block-ponyo-table-body\" data-highlighted-columns=\"[]\" data-highlighted-rows=\"[]\">\n<tr class=\"wp-block-ponyo-table-row\">\n<td class=\"wp-block-ponyo-cell\">\n                    <span class=\"responsive-table-label\"><\/span>\n<p>                    <span class=\"responsive-table-value\"><br \/>\n                                                    <span class=\"responsive-table-value-content\"><\/span><\/span><\/p>\n<p><span>docker buildx build \u2013attest type=sbom \u2013tag myapp:latest .<\/span><\/p>\n<p>                    <br \/>\n                                            \n            <\/p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Review the output. This single step often reveals transitive dependencies and OS packages you did not know were in the image.<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Automate generation in CI. <\/strong>Extend the flag to your CI pipeline so every image build produces an SBOM automatically.<\/li>\n<li><strong>Store SBOMs alongside images. <\/strong>Attach SBOMs as attestations in your OCI registry so the SBOM stays co-located with the artifact it describes.<\/li>\n<li><strong>Connect to monitoring. <\/strong>Feed SBOMs into a <a href=\"https:\/\/www.docker.com\/products\/docker-scout\/\" target=\"_blank\" rel=\"noreferrer noopener\">vulnerability monitoring tool<\/a> that can continuously match components against new CVEs. This closes the loop between inventory and action.<\/li>\n<li><strong>Set policies. <\/strong>Define what is acceptable: maximum CVE age, required minimum SBOM completeness, blocked licenses. Enforce these policies in the pipeline so non-compliant images are flagged before deployment.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Build with visibility, ship with confidence<\/h2>\n<p>SBOMs are the foundation of software supply chain security. They turn opaque software artifacts into transparent, auditable inventories that security teams, compliance officers, and developers can all use. But an SBOM alone is not enough. The real value comes when SBOMs are generated at build time, paired with provenance attestations, and continuously monitored against emerging threats.<\/p>\n<p>Docker makes this workflow native. <a href=\"https:\/\/www.docker.com\/products\/hardened-images\/\" target=\"_blank\" rel=\"noreferrer noopener\">Docker Hardened Images<\/a> ship with complete SBOMs, SLSA Build Level 3 provenance, OpenVEX exploitability data, and cryptographic signatures on every image. Meanwhile, <a href=\"https:\/\/www.docker.com\/products\/docker-scout\/\" target=\"_blank\" rel=\"noreferrer noopener\">Docker Scout<\/a> provides continuous vulnerability monitoring powered by the SBOM data attached to your images, surfacing actionable insights across your entire image portfolio. Together, they give teams a verifiable chain of custody from source to production, with no manual assembly required.<\/p>\n<h2 class=\"wp-block-heading\">Frequently asked questions<\/h2>\n<div class=\"wp-block-ponyo-dominique organism\">\n<div class=\"container faq-list\">\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        What does SBOM stand for?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>SBOM stands for software bill of materials. It\u2019s a structured inventory of every component, dependency, and metadata element inside a software artifact, formatted in a machine-readable standard like SPDX or CycloneDX.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        Are SBOMs required by law?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>In the United States, Executive Order 14028 requires SBOMs for software sold to federal agencies. CISA\u2019s 2025 draft guidance proposes an updated set of minimum elements. The EU Cyber Resilience Act extends similar requirements to products sold in the European market. For organizations in regulated industries, SBOMs are increasingly a procurement prerequisite rather than a voluntary practice.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        What is the difference between an SBOM and a package manifest?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>A package manifest (package.json, requirements.txt, go.mod) lists the dependencies a developer declared. An SBOM captures the fully resolved dependency tree after the build, including transitive dependencies, system-level packages, and metadata like licenses and checksums. The manifest is an input to the build; the SBOM is an output that reflects what was actually shipped.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\" fade-in wp-block-ponyo-frank\">\n<h3 class=\"frank-heading\">\n        How often should an SBOM be updated?<br \/>\n        <span class=\"closed\"><br \/>\n<\/span><br \/>\n        <span class=\"open\"><br \/>\n<\/span><br \/>\n    <\/h3>\n<div class=\"content-outer\">\n<div class=\"content-inner\">\n<p>An SBOM should be regenerated every time the associated artifact is rebuilt. For container images, this means generating a new SBOM with each image build. Between rebuilds, the existing SBOM remains valid for the specific image digest it describes, but new CVEs may be discovered against the components it lists. Continuous monitoring against the stored SBOM catches these without requiring a rebuild.<\/p>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/div>\n<h3 class=\"wp-block-heading\">Source<\/h3>\n<p>Omdia, <em>Securing the Software Supply Chain: Strategic Approaches to Support Scaling Development with AI Adoption<\/em>, May 2026.<\/p>","protected":false},"excerpt":{"rendered":"<p>In Omdia\u2019s 2026 software supply chain security report, 73% of organizations that generate SBOMs say they enable more efficient vulnerability [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4405,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-4404","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4404"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4404\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4405"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}