FOSSA Logo
C
Security
Containers
DevOps
Supply Chain
Kubernetes

Container Bill of Materials (CBOM)

A structured inventory that documents all components, dependencies, and configuration details within a container image, enabling enhanced visibility and security throughout the container lifecycle.

What is a Container Bill of Materials (CBOM)?

A Container Bill of Materials (CBOM) is a comprehensive, machine-readable inventory that documents all components, dependencies, and configuration details within a container image. Similar to a Software Bill of Materials (SBOM), a CBOM provides transparency into what's inside a container, but with additional container-specific metadata and context that traditional SBOMs may not capture.

CBOMs enable organizations to understand and track the contents of their container images, identify security vulnerabilities, ensure license compliance, and verify the provenance of container images throughout the software supply chain. As container adoption continues to grow across industries, CBOMs are becoming increasingly essential for maintaining security and compliance in containerized environments.

Components of a Container Bill of Materials

Base Layer Information

  • Base Image: The foundation image upon which the container is built
  • OS Components: Operating system packages and libraries included in the base image
  • Base Image Provenance: Origin and authenticity verification of the base image

Application Components

  • Application Code: Custom application code included in the container
  • Application Dependencies: Libraries, frameworks, and packages required by the application
  • Runtime Dependencies: Components needed for the application to execute

Container Configuration

  • Environment Variables: Configuration settings defined in the container
  • Exposed Ports: Network ports the container exposes
  • Volume Mounts: Persistent storage configurations
  • User Permissions: User contexts and privilege settings

Build Information

  • Build Tools: Software used to create the container image
  • Build Date: When the container image was created
  • Build System: CI/CD system that produced the image
  • Build Scripts: Dockerfile or other container definition files

CBOM Formats and Standards

Container-Specific SBOM Extensions

Many CBOM implementations extend existing SBOM formats with container-specific fields:

CycloneDX Container Extension

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "components": [...],
  "containers": [
    {
      "type": "container",
      "name": "example-api",
      "image": {
        "registry": "docker.io",
        "repository": "example/api",
        "tag": "v1.2.3",
        "digest": "sha256:abc123..."
      },
      "layers": [
        {
          "digest": "sha256:def456...",
          "size": 14578923
        }
      ],
      "components": [
        {
          "type": "library",
          "bom-ref": "pkg:npm/axios@0.21.1"
        }
      ]
    }
  ]
}

SPDX Container Annotations

SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
DocumentName: container-example-1.0.0
DocumentNamespace: http://spdx.org/spdxdocs/container-example-1.0.0
Creator: Tool: container-sbom-generator-1.0.0
Created: 2023-07-01T09:00:00Z
Annotation: DocumentRef-container-image
AnnotationType: OTHER
AnnotationComment: containerImage:registry=docker.io,repository=example/api,tag=v1.2.3,digest=sha256:abc123...

Container-Native CBOM Tools

Various tools specifically designed to generate CBOMs for containers:

  • Syft: Open source tool that generates SBOMs for container images
  • Anchore: Container security platform with CBOM generation capabilities
  • Tern: Inspection tool for identifying packages in container images
  • Trivy: Vulnerability scanner with CBOM export functionality

Use Cases for Container Bills of Materials

Security Vulnerability Management

  • Vulnerability Detection: Quickly identify container images affected by new vulnerabilities
  • Risk Assessment: Evaluate the security posture of container deployments
  • Patch Prioritization: Focus remediation efforts on the most critical container vulnerabilities
  • Audit Trail: Maintain records of container contents for security investigations

Compliance and Governance

  • License Compliance: Track open source licenses for all components in container images
  • Regulatory Requirements: Meet government and industry mandates for container transparency
  • Policy Enforcement: Automate enforcement of container security and composition policies
  • Vendor Management: Verify third-party container images meet organizational standards

Container Lifecycle Management

  • Image Selection: Make informed decisions when choosing base images
  • Drift Detection: Identify unauthorized changes between container builds
  • Version Control: Track component versions across container image iterations
  • Deprecation Management: Identify and replace outdated or unsupported components

CI/CD Pipeline Integration

  • Automated Generation: Create CBOMs as part of the container build process
  • Pre-deployment Checks: Validate container contents before deployment
  • Registry Integration: Store and retrieve CBOMs alongside container images
  • Release Gating: Block deployment of containers that don't meet security standards

Creating and Maintaining CBOMs

Generation Methods

Build-Time Generation

Creating CBOMs during the container image build process:

# Example GitHub Actions workflow
name: Build Container & Generate CBOM
 
on:
  push:
    branches: [ main ]
 
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Build container image
        run: docker build -t example/api:latest .
      
      - name: Generate CBOM
        run: syft example/api:latest -o cyclonedx-json > cbom.json
      
      - name: Upload CBOM
        run: curl -X POST -F file=@cbom.json https://artifact-registry/upload

Registry-Based Generation

Generating CBOMs from images stored in container registries:

# Extract CBOM from container in registry without pulling
syft registry:docker.io/example/api:latest -o cyclonedx-json > cbom.json

Runtime Analysis

Creating or augmenting CBOMs by analyzing running containers:

# Analyze running container
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  container-analyzer analyze --container-id abc123 --output cbom.json

Verification and Validation

  • Completeness Checking: Ensuring all container layers and components are included
  • Accuracy Verification: Validating component information against trusted sources
  • Signature Verification: Checking cryptographic signatures of container layers
  • Policy Compliance: Verifying CBOM contents against security and compliance policies

CBOM and Container Security Best Practices

Minimal Base Images

  • Use minimal, purpose-built base images to reduce attack surface
  • Prefer distroless or scratch images when possible
  • Document base image selection decisions in the CBOM

Layer Optimization

  • Minimize the number of layers to reduce complexity
  • Combine commands to reduce layer count while maintaining clarity
  • Include layer dependencies in the CBOM for complete visibility

Immutable Containers

  • Treat containers as immutable artifacts
  • Rebuild rather than update containers when changes are needed
  • Use CBOMs to verify container immutability

Continuous Monitoring

  • Regularly scan containers for new vulnerabilities
  • Update CBOMs when vulnerabilities are discovered
  • Track container drift through CBOM comparison

CBOM Implementation Challenges

Multi-Stage Builds

  • Complexity in tracking components across build stages
  • Need to capture both build-time and runtime dependencies
  • Distinguishing between components in the final image versus build artifacts

Nested Containers

  • Managing CBOMs for containers that run other containers
  • Tracking relationships between parent and child containers
  • Consolidating vulnerability information across nested containers

Tooling Limitations

  • Inconsistent detection of components across different tools
  • Challenges with proprietary or obfuscated components
  • Performance impact when generating CBOMs for large container images

Integration Complexity

  • Incorporating CBOM generation into existing CI/CD pipelines
  • Handling container images from various sources and registries
  • Managing CBOM storage and retrieval alongside container images

Standardization Efforts

  • Evolving container-specific extensions to SBOM formats
  • Industry collaboration on CBOM best practices
  • Integration of CBOMs into container security standards

Container Supply Chain Security

  • Using CBOMs as part of SLSA (Supply chain Levels for Software Artifacts)
  • Integration with binary authorization and container signing
  • Chain of custody verification for container images

Automated Remediation

  • Using CBOM data to automate vulnerability patching
  • Automated rebuilding of containers when base images are updated
  • Policy-driven container deployment based on CBOM analysis

Container Attestation

  • Cryptographically signed statements about container properties
  • Verification of build environment and process integrity
  • Integration with secure supply chain frameworks

Getting Started with CBOMs

Implementation Strategy

  1. Start Small: Begin with high-priority container images
  2. Choose Tools: Select CBOM generation tools compatible with your environment
  3. CI/CD Integration: Automate CBOM generation in your build pipeline
  4. Establish Policies: Define acceptance criteria for container images
  5. Educate Teams: Train developers and operators on CBOM importance

Key Considerations

  • Performance Impact: Balance CBOM generation thoroughness with build performance
  • Storage Requirements: Plan for CBOM storage and version management
  • Toolchain Integration: Ensure compatibility across your container ecosystem
  • Governance Model: Define ownership and responsibilities for CBOM management

Relationship to Other Security Frameworks

SBOM and CBOM

CBOMs extend SBOM concepts to address container-specific aspects, with significant overlap but distinct focus areas.

VEX (Vulnerability Exploitability eXchange)

VEX provides additional context about the exploitability of vulnerabilities identified in a CBOM.

SLSA (Supply chain Levels for Software Artifacts)

SLSA provides a framework for ensuring supply chain integrity, with CBOMs serving as a key component for container verification.

DevSecOps Practices

CBOMs integrate with broader DevSecOps practices for securing the entire container lifecycle from development to deployment.

Related Terms

Artifact

A file or package produced by the build process, such as an executable, container image, library, or other deployable component.

Dependency

External software packages or components that a project uses or relies on to function properly.

DevSecOps

An approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle, from initial development through production deployment and beyond.

Kubernetes

An open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications.

Software Supply Chain

The full lifecycle and pipeline involved in developing, building, packaging, distributing, and deploying software—including dependencies, tools, infrastructure, and people.