BlogCI/CD
Generate an SBOM for any container image with Syft
Produce a complete software bill of materials in SPDX or CycloneDX and feed it to Grype for fast CVE triage.
You cannot secure what you cannot enumerate. A software bill of materials (SBOM) lists every package, library, and version inside an image. Syft generates one from any image or filesystem in seconds, and pairing it with Grype turns 'are we affected by X?' into a query instead of an investigation.
syft acme/api:1.4NAME VERSION TYPEopenssl 3.1.4-r5 apkexpress 4.19.2 npmcataloged 214 packages across 3 ecosystemsEmit a standard format
Use SPDX or CycloneDX so any downstream tool can consume it. Store the SBOM as a build artifact — ideally as a signed attestation on the image.
bash
syft acme/api:1.4 -o spdx-json > sbom.spdx.jsonsyft acme/api:1.4 -o cyclonedx-json > sbom.cdx.json
Triage against it fast
grype sbom:sbom.cdx.json --fail-on highopenssl 3.1.4-r5 CVE-2024-6119 (High) fixed in 3.1.4-r6scanning the SBOM is faster than re-pulling the imageKeep every SBOM
Archive one SBOM per build. The next critical CVE becomes: grep your SBOM store for the package — minutes across your whole fleet.