How to create SBOMs for container images
The importance of software bills of materials (SBOMs) has grown substantially in recent years as organizations recognize the need for greater transparency in the software supply chain.
This focus on SBOMs is a response to increasing cybersecurity threats and legislative efforts to improve software security. With the rise of modern Kubernetes architectures, even the concept of Kubernetes Bill of Materials (KBOM) has emerged to address these concerns. Engineering teams keeping SBOMs on file will be able to react faster when a vulnerability is discovered.
This article will explore a specific side of SBOM for immutable artifacts: container images. I will go over how to create an OCI-compatible image and its associated SBOM seamlessly by using open-source software.
A quick overview of the tools
To begin, let’s introduce the open-source tools we will use.
Buildpacks is an open-source project that transforms your application’s source code into images that can run on any cloud platform. By scanning your application code, Buidpacks identifies what is needed and assembles all components into a container image. No Dockerfile is required.
You can build your Buildpacks images from scratch or use pre-assembled images. That’s what the Paketo open-source project provides: production-ready Buildpacks for the most popular languages and frameworks. Paketo Buildpacks builds images with best practices for the numerous stacks the community supports (Java, Go, Python, Ruby, .NET…) and always-up-to-date runtime and security patches.
How to easily create Docker images
Now let’s jump into the creation of a container image and its associated SBOM. You can do this tutorial with an existing Python (or any other supported language) app or use the example application below.
Clone this sample app:
git clone https://github.com/paketo-buildpacks/samples && cd samples/python/pipenv
Install pack CLI – the project supports Linux, macOS and Windows as well as a number of package managers:
brew install buildpacks/tap/pack
Then, from the sample app directory, use the pack CLI to build an app image named python-demo-app:
pack build python-demo-app --builder paketobuildpacks/builder:base
Watch your container image being automatically generated. While the first iteration of the pack build command may take a while on the first run because it needs to download the base Paketo Buildpacks image, later iterations will be much faster.
You can now run your application as you would usually do.
docker run -d -p 8080:8080 -e PORT=8080 python-demo-app
How to generate an SBOM of the Docker image
Now that you have generated your Docker image, let’s generate the SBOM with the following pack command:
pack sbom download my-python-app --output-dir sbom-folder/path
That’s it! This command will create the SBOM in SPDX, Syft, JSON, and CycloneDX formats in the specified directory. If you want to download the SBOM of an image in a remote registry without pulling the image, simply use the --remote flag.
Buidpacks allow you to choose your own or among a collection of pre-built builder images. You can get a list of suggested builder images by typing the command below in the root folder of your application.
pack builder suggest
For example, you might like to proceed with the paketobuildpacks/builder:tiny image, but for security reasons, you need to know more about how the image is built. You can get the info you need by running the following pack command:
pack builder inspect paketobuildpacks/builder:tiny
This command will return the version of the image, whether it is coming from a trusted builder, what associated Buildpacks are available (with version and code homepage), as well as the sequence in which Buildpacks are run to build the container image.
Conclusion
Creating container images and their associated SBOM is an essential aspect of modern software development for Kubernetes-based architecture. This makes it easier for developers to understand dependencies across complex projects and improves software supply chain transparency, addressing security concerns and compliance requirements.
SBOMs are becoming increasingly important; the US government recently released a U.S. Executive Order on Improving the Nation’s Cybersecurity which includes an SBOM requirement. While there are multiple ways of generating SBOMs of container images, I recommend using one that is straightforward and can be added as part of your CI/CD pipeline.