Keyboard shortcuts

Press ← or β†’ to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Supply Chain

Supply chain chapter

A container image is made from many pieces: a base OS layer, a language runtime, libraries pulled from package registries, and your application code. Each of those pieces came from somewhere, and any of them could carry a vulnerability or be substituted by an attacker who compromises a package source. That collection of sources and dependencies is called the software supply chain.

What an SBOM is

SBOM stands for Software Bill of Materials. It is a machine-readable list of every package, library, and component that is present in a piece of software, including their versions and where they came from.

Think of it like a nutritional label on food packaging. The label does not tell you whether the food is good or bad for you today. It tells you exactly what is in it so you can make that judgement, and so you can come back later when a new study (or a new CVE) changes the picture.

An SBOM attached to a container image means you do not have to re-scan the running image to find out whether a newly published CVE affects you. You scan the SBOM file instead.

Why it matters

Without an SBOM, answering β€œare we affected by this CVE?” means pulling and scanning every image version you have deployed. With an SBOM stored next to the image digest, you query the file. This becomes important when a high-profile CVE drops and you need to answer quickly across dozens of services.

Some customers, regulators, and procurement processes now ask for SBOMs as part of a security attestation.

Syft and Grype

Syft is an open source tool from Anchore that reads a container image and outputs an SBOM in standard formats such as SPDX or CycloneDX. Grype is a companion tool that takes that SBOM and matches it against CVE databases. The two tools are often run together: Syft generates, Grype scans. The lab in this section runs both on a public image so you see the full workflow end to end.

flowchart LR
    IMG["Container Image"] --> SYF["Syft"]
    SYF --> SBOM["SBOM file (SPDX JSON)"]
    SBOM --> GRP["Grype"]
    DB[("CVE Database")] --> GRP
    GRP --> RPT["CVE Report"]