Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Lab: SBOM with Syft and Grype

Syft inventories packages in a container image and produces a Software Bill of Materials (SBOM). Grype takes that SBOM and matches it against known CVEs. Together they give you a two-step workflow: inventory first, then scan. Install steps use the official Anchore scripts into ~/.local/bin. For a permanent PATH, see Environment Setup. Step 1 sets the path for the current shell.

Lab objective

  • Install Syft and Grype.
  • Generate an SBOM for alpine:3.20.
  • Run Grype on that SBOM to find vulnerabilities.

Prerequisites

docker pull alpine:3.20
  • Install Syft and Grype
mkdir -p ~/.local/bin
export PATH="$HOME/.local/bin:$PATH"
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ~/.local/bin
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ~/.local/bin
syft version
grype version
  • Generate SBOM and scan
mkdir -p ~/peachycloudsecurity-sbom-lab && cd ~/peachycloudsecurity-sbom-lab
syft alpine:3.20 -o spdx-json > peachycloudsecurity-sbom.spdx.json
grype sbom:peachycloudsecurity-sbom.spdx.json

syft writes the full package list to the JSON file. grype reads that file and reports any CVE matches without pulling the image again.

  • Clean up
cd ~ && rm -rf ~/peachycloudsecurity-sbom-lab

Summary

  • An SBOM is a machine-readable list of every package inside an image. Store it next to the image digest so you can re-scan later without rebuilding.

  • Grype scanning the SBOM file is faster than scanning the image directly on repeated runs.

  • Pair with Lab: Trivy image scan to cover both direct-image and SBOM-based workflows.

  • Next step: Hardening, then Lab: Secure container defaults.