Alauda Security Service
  • English

    • Generating SBOMs from Scanned Images

    Alauda Security Service enables you to generate a Software Bill of Materials (SBOM) from scanned container images. SBOMs provide a detailed inventory of software components, dependencies, and libraries within an image and help teams investigate vulnerable packages more efficiently.

    TOC

    What is an SBOM?How to Generate SBOMsUsing the PortalUsing the roxctl CLICLI OptionsUsing the API

    What is an SBOM?

    A Software Bill of Materials (SBOM) is a digital record listing the components of a piece of software and their origins. SBOMs help organizations:

    • Identify the presence of vulnerable packages and components
    • Respond quickly to mitigate risks
    • Comply with regulations such as Executive Order 14028

    SBOMs can be generated in different ways. The SBOMs generated by Alauda Security Service are "Analyzed" SBOMs, created by analyzing artifacts such as executables, packages, containers, and VM images. According to CISA, analyzed SBOMs:

    • Provide information without requiring an active development environment
    • Can be generated without access to the build process
    • Help discover hidden dependencies

    The SBOM generated by Alauda Security Service is in System Package Data Exchange (SPDX) 2.3 format and is downloaded as JSON.

    How to Generate SBOMs

    You can generate SBOMs using the Alauda Security Service portal, the roxctl CLI, or the API.

    Using the Portal

    1. Go to Vulnerability Management > Results and locate the image you want.
    2. If needed, switch to the relevant results view, such as User Workloads, Platform, or a view under More Views.
    3. Do one of the following:
      • In the image row, click the overflow menu and select Generate SBOM.
      • Select the image to view details, then click Generate SBOM.
    4. Review the image information and the SBOM format in the dialog.
    5. Click Generate SBOM to create and download the file.

    Using the roxctl CLI

    Run the following command:

    roxctl image sbom --image=image-name

    Replace image-name with the name and reference of the image (e.g., nginx:latest or nginx@sha256:...).

    CLI Options

    OptionDescription
    -f, --forceBypass Central's cache for the image and force a new pull from the scanner. Default: false.
    -d, --retry-delay integerTime to wait between retries in seconds. Default: 3.
    -i, --image stringImage name and reference (e.g., nginx:latest or nginx@sha256:...).
    -r, --retries integerNumber of times Scanner V4 should retry before exiting with an error. Default: 3.

    Using the API

    You can also generate an SBOM by using the API with an API token. Use this option when you want to embed SBOM creation into automation or external reporting workflows.