Generate and store SBOMs

This document describes how to create and store a software bill of materials (SBOM) listing the dependencies in your container images.

When you store container images in Artifact Registry and scan them for vulnerabilities with Artifact Analysis, you can then generate an SBOM using the Google Cloud CLI.

For information on using vulnerability scanning, see Automatic scanning and Pricing.

Artifact Analysis stores SBOMs in Cloud Storage. For more information on Cloud Storage costs, see Pricing.

Container Registry (Deprecated) repositories are not supported. Learn how to transition from Container Registry.

Before you begin

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Artifact Registry, Container Analysis, Container Scanning APIs.

    Enable the APIs

  5. Install the Google Cloud CLI.

  6. To initialize the gcloud CLI, run the following command: 

    gcloud init
    7.

  7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  8. Make sure that billing is enabled for your Google Cloud project.

  9. Enable the Artifact Registry, Container Analysis, Container Scanning APIs.

    Enable the APIs

  10. Install the Google Cloud CLI.

  11. To initialize the gcloud CLI, run the following command: 

    gcloud init
    12.
  12. Create a Docker repository in Artifact Registry and push a container image to the repository. If you are not familiar with Artifact Registry, see the Docker quickstart.

Required roles

To get the permissions that you need to manage Cloud Storage buckets and upload SBOM files, ask your administrator to grant you the Storage Admin (roles/storage.admin) IAM role on the project. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Generate an SBOM file

To generate an SBOM file, use the following command:

gcloud artifacts sbom export --uri=URI

Where

  • URI is the Artifact Registry image URI that the SBOM file describes, similar to us-east1-docker.pkg.dev/my-image-repo/my-image. Images can be in either tag format, or digest format. Images provided in tag format will be resolved into digest format.

Artifact Analysis stores your SBOM in Cloud Storage.

You can view SBOMs by using the Google Cloud console or the gcloud CLI. If you want to locate the Cloud Storage bucket that contains your SBOMs, you must search for SBOMs using the gcloud CLI.

Generate an SBOM without vulnerability scanning

If you want to generate an SBOM, but you don't want ongoing vulnerability scanning for your project, you can still export an SBOM if you enable the Container Scanning API before you push the image to Artifact Registry. After your image is pushed to Artifact Registry, and you have exported an SBOM, you must disable the Container Scanning API to prevent being billed for further vulnerability scanning.

What's next