コンテンツにスキップ

SBOM/SCA Integrations

The primary flow for using MDSBOM is to generate SBOM/SCA reports using external tooling, then combine these reports with our logged runtime observations to produce an augmented output report. This is the workflow demonstrated in the quickstart guide.

For local/interactive usage, it is convenient to be able to generate the source reports and input these to the system automatically, so we have one-command integrations for a few popular SBOM/SCA tools.

Anchore (Syft/Grype)

Anchore provides the open source SBOM and SCA tools Syft and Grype.

In the quickstart guide, we generated reports with Syft and Grype, then fed these in to MDSBOM. Instead, we could have ran mdsbom anchore --full-summary redis:latest --sbom-report-out redis_sbom_out.spdx.json --sca-report-out redis_sca.cyclonedx.json, to generate the source reports and analyze them automatically.

Our Anchore integration supports SPDX output for SBOM reports and CycloneDX output for SCA reports.

Running this command requires syft and grype to be available in your PATH, but otherwise is equivalent to individually running the commands as described.

Docker Scout

Docker Scout is a SBOM/SCA tool with tight integration into the Docker user interface.

Our integration assumes the Docker Scout CLI has been installed, see their GitHub page (linked above) for installation instructions.

We can then run mdsbom scout --full-summary redis:latest --sca-report-out redis_sca_out.sarif, to generate the source reports and analyze them automatically.

Our Docker Scout integration supports SARIF output for SCA reports only.

Trivy

Trivy is another open source SBOM/SCA tool from Aqua security.

Our integration assumes the Docker Scout CLI has been installed, see their GitHub page (linked above) for installation instructions.

We can then run mdsbom trivy --full-summary redis:latest, to generate the source reports and analyze them automatically.

Our Trivy integration does not currently generate annotated reports, as source reports are in a Trivy-specific format.

Running this command requires trivy to be available in your PATH, along with the container tools skopeo and umoci.