This repository contains the Dockerfile and scripts to build a container image that facilitates generating and uploading Software Bill of Materials (SBOM) to SBOM.sh utilizing various open-source SBOM tools such as Trivy, Grype, and Syft.

You can pull the ready-made container image from Docker Hub:

docker pull codenotary/sbom.sh

• Generate SBOM for filesystems, container images, and local SBOM files.
• Upload SBOM to SBOM.sh and obtain a shareable URL.
• Optionally, trigger vulnerability scan and SBOM score calculation at SBOM.sh.

git clone https://github.com/your-username/sbom-sh-container.git
cd sbom-sh-container
docker build -t sbom.sh:latest .

docker run -v $(pwd):/app -it sbom.sh:latest trivyfs

docker run -it sbom.sh:latest trivyimage [vulnscan] image-name

docker run -v $(pwd):/app -it sbom.sh:latest sendsbom sbom-file-name # SBOM file in the mapped app folder

• Make sure to map your local directory to /app in the container using the -v flag.
• The vulnscan flag is optional and is used to trigger a vulnerability scan and SBOM score calculation at SBOM.sh.

• trivyfs: Scan the filesystem mapped to /app in the container using Trivy.
• trivyimage: Scan a specified container image using Trivy.
• grypefs: Scan the filesystem mapped to /app in the container using Grype.
• grypeimage: Scan a specified container image using Grype.
• syftfs: Scan the filesystem mapped to /app in the container using Syft.
• syftimage: Scan a specified container image using Syft.
• sendsbom: Send a local SBOM file to sbom.sh.

For each command, a URL to the generated SBOM on SBOM.sh is outputted to the terminal. If the vulnscan flag is specified (where applicable), additional vulnerability scanning and SBOM score calculation are triggered at sbom.sh.

• Trivy
• Grype
• Syft

Feel free to open issues or PRs if you have suggestions for improvements or additions to this container image.

Apache License 2.0