SBOM Basics (what and why)

Use SBOMs operationally: generate, store, diff, and query components to respond faster to CVEs and audits.

On this page

SBOM as an Operations Tool

SBOM is a component inventory for your artifact (image, binary, package).
Ops value: faster CVE response, compliance evidence, and dependency visibility.
Store SBOM per artifact digest, not per mutable tag.

Runbook: Generate, Store, Query

Generate SBOM during build.
Attach SBOM to the artifact (as OCI artifact/attestation or separate storage).
Index by digest and environment (prod/staging).
Query when a CVE drops: “which prod digests include package X?”

Example Commands

# Generate SBOM (SPDX JSON) for an image
syft registry.example.com/app/api@sha256:DEADBEEF -o spdx-json > sbom.json

# Query: list packages quickly (human check)
jq -r '.packages[] | [.name,.versionInfo] | @tsv' sbom.json | head

Failure Modes

SBOM generated but not stored per digest: cannot trust mapping later.
SBOM exists only for latest tag: breaks incident response.

Provenance and Attestation →