Get the latest SBOMs from the top 15 most popular images on Docker Hub

Most companies that use Docker, also uses Docker Hub in some capacity. Have you ever wondered how secure these images are? In our article Comprehensive Guide to Generating and Understanding SBOMs with Docker and Django-CMS we talked about how to generate SBOMs from a Docker image.

In this article, we are taking this one step further, and automate the process in our CI/CD pipeline (in this case GitHub Actions). We’ve created a GitHub repository called docker-hub-sbom that automatically builds SBOMs for the top 15 Docker Hub images every night.

The top 15 most popular (official) Docker images are as follows:

  • alpine
  • busybox
  • docker
  • hello-world
  • httpd
  • memcached
  • mongo
  • mysql
  • nginx
  • node
  • postgres
  • python
  • rabbitmq
  • redis
  • ubuntu

To keep things simple, we will only generate the SBOM for the ‘latest’ tag of each disk image.

Unlike in our previous guide, we will not use the docker sbom feature available in Docker Desktop. But instead, we will use the tool that Docker Desktop uses behind the scenes, namely syft.

The full CI/CD pipeline is defined in build-sboms.yml, but in simple terms all it does is to iterate over the list of the list of images and then use syft to build an SBOM both in CycloneDX and SPDX format.

After each run has been successful, it publishes the SBOMs as artifacts. You can see an example of this in this run. For instance, you can download the SBOM for nginx (CycloneDX and SPDX).

There are a few important things to point out here:

  • First, this way of generating SBOMs is completely CI/CD agnostic. You could easily take this workflow and implement it on other tools like Travis, Jenkins, TeamCity or almost any other CI/CD platform.
  • Second, while we are using upstream Docker Hub images in this example, you could just swap this out for your own internal Docker images for your application and get the same result.

Leave a Reply

Your email address will not be published. Required fields are marked *