docker/scout-sbom-indexer repository overview

⁠Motivation

The Docker Scout SBOM Indexer builds on the capabilities of other SBOM generators:

1. The Scout SBOM scanner puts more effort into mapping packages with layers so when Scout is presenting the layer/vulnerability mapping it is more accurate. In other words, both syft and Scout will produce similar package lists, but Scout is better able to map the packages, and hence vulnerabilities, to specific layers.
2. The Scout SBOM scanner incorporates Go toolchain information into a layer when it finds a Go binary. While this can result in some false positives, we use it as the default as it allows more downstream flexibility.
3. The Scout SBOM scanner combines approaches used by both syft's and trivy's SBOM scanners, resulting in slightly richer metadata than either single approach provides.

⁠Supported tags

It is safest to track the major version tag, currently 1. Tags using MAJOR.MINOR and MAJOR.MINOR.PATCH, as well as latest are also supported. You can see the complete list of Scout SBOM indexer releases on the docker/scout-cli tags page⁠.

⁠Quick reference

The Scout SBOM Indexer is typically invoked to add an SBOM attestation when building container images using BuildKit⁠.

$ docker buildx build --attest type=sbom,generator=docker/scout-sbom-indexer .