[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-03 (世界標準時間)。"],[[["\u003cp\u003eThis guide outlines the process of creating and storing a software bill of materials (SBOM) for container images in Artifact Registry, which lists the image's dependencies.\u003c/p\u003e\n"],["\u003cp\u003eSBOMs are generated using the Google Cloud CLI after storing container images in Artifact Registry and scanning them for vulnerabilities with Artifact Analysis, and these SBOMs are stored in Cloud Storage.\u003c/p\u003e\n"],["\u003cp\u003eTo manage Cloud Storage buckets and upload SBOM files, the Storage Admin IAM role is required, along with creating a Docker repository in Artifact Registry and pushing a container image to it.\u003c/p\u003e\n"],["\u003cp\u003eThe command \u003ccode\u003egcloud artifacts sbom export --uri=<URI>\u003c/code\u003e is used to generate an SBOM file, where the URI is the Artifact Registry image URI, and it can be provided in either tag or digest format.\u003c/p\u003e\n"],["\u003cp\u003eIt is possible to generate an SBOM without ongoing vulnerability scanning by enabling the Container Scanning API before pushing an image to Artifact Registry, then disabling it after the SBOM has been generated to prevent further vulnerability scanning charges.\u003c/p\u003e\n"]]],[],null,["This document describes how to create and store a software bill of materials\n(SBOM) listing the dependencies in your container images.\n\nWhen you store container images in Artifact Registry and scan them for\nvulnerabilities with Artifact Analysis, you can then generate an SBOM using\nthe Google Cloud CLI.\n\nFor information on using vulnerability scanning, see\n[Automatic scanning](/artifact-analysis/docs/artifact-analysis#automatic_scanning)\nand [Pricing](/artifact-analysis/pricing).\n\nArtifact Analysis stores SBOMs in Cloud Storage. For more information on\nCloud Storage costs, see [Pricing](/storage/pricing).\n\nBefore you begin\n\n- [Sign in](https://accounts.google.com/Login) to your Google Account.\n\n If you don't already have one, [sign up for a new account](https://accounts.google.com/SignUp).\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Artifact Registry, Container Analysis, Container Scanning APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=https://artifactregistry.googleapis.com, https://containeranalysis.googleapis.com, https://containerscanning.googleapis.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Artifact Registry, Container Analysis, Container Scanning APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=https://artifactregistry.googleapis.com, https://containeranalysis.googleapis.com, https://containerscanning.googleapis.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n1. Create a Docker repository in Artifact Registry and push a container image to the repository. If you are not familiar with Artifact Registry, see the [Docker\n quickstart](/artifact-registry/docs/docker/store-docker-container-images).\n\n\u003cbr /\u003e\n\nRequired roles\n\n\nTo get the permissions that\nyou need to manage Cloud Storage buckets and upload SBOM files,\n\nask your administrator to grant you the\n\n\n[Storage Admin](/iam/docs/roles-permissions/storage#storage.admin) (`roles/storage.admin`)\nIAM role on the project.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nGenerate an SBOM file\n\nTo generate an SBOM file, use the following command: \n\n gcloud artifacts sbom export --uri=\u003cvar translate=\"no\"\u003eURI\u003c/var\u003e\n\nWhere\n\n- \u003cvar translate=\"no\"\u003eURI\u003c/var\u003e is the Artifact Registry image URI that the SBOM file describes, similar to `us-east1-docker.pkg.dev/my-image-repo/my-image`. Images can be in either [tag format](/artifact-registry/docs/container-concepts#tags), or [digest format](/artifact-registry/docs/container-concepts#manifests). Images provided in tag format will be resolved into digest format.\n\nArtifact Analysis stores your SBOM in Cloud Storage.\n\nYou can view SBOMs by using the Google Cloud console or the gcloud CLI.\nIf you want to locate the Cloud Storage bucket that contains your\nSBOMs, you must\n[search for SBOMs using the gcloud CLI](/artifact-analysis/docs/view-sboms-dependencies#gcloud).\n| **Note:** If you're using images with `gcr.io` domain names, SBOMs might not appear immediately. SBOM generation takes at least 24 hours from the time when you set up hostname redirection.\n\nGenerate an SBOM without vulnerability scanning\n\nIf you want to generate an SBOM, but you don't want ongoing vulnerability\nscanning for your project, you can still export an SBOM if you enable the\nContainer Scanning API before you push the image to Artifact Registry. After\nyour image is pushed to Artifact Registry, and you have exported an SBOM, you\nmust disable the Container Scanning API to prevent being billed for further\nvulnerability scanning.\n\nWhat's next\n\n- [Upload your own SBOM](/artifact-analysis/docs/upload-sbom)\n- [View SBOMs and dependencies](/artifact-analysis/docs/view-sboms-dependencies)"]]
