DEV Community

Cover image for Generating SBOM with Docker Scout
Docker profile image Mohammad-Ali A'RÂBI
Mohammad-Ali A'RÂBI for Docker

Posted on • Originally published at dockersecurity.io

Generating SBOM with Docker Scout

#docker #commandos

Knowing what's inside your container is the first step to securing it. In the first commando mission, we dockerized a Java 26 project using Docker Init. Now that we have an image, it's time to see what's actually in it.

The Mission: Who Lives in Asgard?

Rothütle, the tactician of the Docker Commandos, asks Thor for a list of all Asgard residents. Why? Because you can't defend a city if you don't know who's inside. By getting this list, you can later cross-reference it with known threats and identify the shadows in disguise.

Rothütle asking for the SBOM

Technical Requirements

  • Docker Desktop that is not too old, or
  • Docker Scout CLI plugin installed.

To make sure you have the Docker Scout plugin, run:

docker scout --help
Enter fullscreen mode Exit fullscreen mode

Generate the SBOM

We'll use docker scout sbom to peek inside our image. If you followed the previous post, you have an image built from your project. Let's assume you tagged it hello-wowlrd:latest.

docker scout sbom hello-wowlrd:latest --format list
Enter fullscreen mode Exit fullscreen mode

The --format list flag gives you a clean table of all the packages, their versions, and types (e.g., deb, maven).

Exporting to Standard Formats

While a table is great for humans, tools prefer standard formats like SPDX or CycloneDX. Let's export our SBOM to a JSON file using the SPDX format:

docker scout sbom hello-wowlrd:latest --format spdx --output sbom.spdx.json
Enter fullscreen mode Exit fullscreen mode

If you investigate the file, you will see a detailed inventory:

jq . sbom.spdx.json | less
Enter fullscreen mode Exit fullscreen mode

This file contains every package, its version, and its license—perfect for compliance and automated scanning. You can check available formats by running docker scout sbom --help. Try exporting in CycloneDX format and compare it with the SPDX output!

Exercise: Comparing Base Images

One of the best ways to understand the value of an SBOM is to compare different base images. For example, let's look at the difference between a standard Node.js image and its Alpine counterpart:

docker scout sbom node:25 --format list
Enter fullscreen mode Exit fullscreen mode

Versus:

docker scout sbom node:25-alpine --format list
Enter fullscreen mode Exit fullscreen mode

You'll notice that the Alpine version is significantly smaller, with fewer packages. This is why "minimal base images" are a core tenet of container security—fewer residents mean fewer places for CVE monsters to hide.

What's Next?

Now that we have our list of residents, the next mission is to find the monsters. In the next post, we'll use Docker Scout to scan for CVEs.

Want the full mission? Visit Docker Commandos or request a workshop.

Top comments (0)