SBOM
Every container image and binary that's part of metal-stack contains an SBOM (Software Bill of Materials). It provides a detailed inventory of components within container images and binaries, enabling you to manage vulnerabilities and compliance effectively.
We decided to use SPDX (Software Package Data Exchange), as it is among the most widely adopted standards and is natively supported in Docker. Docker utilizes the in-toto SPDX format, while binary-SBOMs are created using Syft.
SBOMs are created as part of each repository's GitHub Actions workflow utilizing Anchore SBOM Action for binaries and Build and push Docker images for container images.
Download SBOM of a container image
docker buildx imagetools inspect ghcr.io/metal-stack/<image name>:<tag> --format "{{ json .SBOM.SPDX }}" > sbom.jsonFor further info, refer to the Docker docs.
Download SBOM of a binary from the GitHub release
wget https://github.com/metal-stack/<repository name>/releases/latest/download/sbom.jsonPlease note, if more than one binary is released, e.g. for different platforms / architectures, you are required to include this info in the SBOM file name as well.
# This is an example using https://github.com/metal-stack/metalctl
wget https://github.com/metal-stack/metalctl/releases/latest/download/sbom-darwin-arm64.jsonIdentify CVEs
There are many tools that can help you to identify the CVEs with the help of an SBOM. Just to name one example, the cve-bin-tool can be used to do this, which would look like this:
cve-bin-tool --sbom-file sbom.json --format json
[09:57:06] INFO cve_bin_tool - CVE Binary Tool v3.4 cli.py:624
INFO cve_bin_tool - This product uses the NVD API but is not endorsed or certified by the NVD. cli.py:625
INFO cve_bin_tool - For potentially faster NVD downloads, mirrors are available using -n json-mirror cli.py:628
INFO cve_bin_tool.CVEDB - Using cached CVE data (<24h old). Use -u now to update immediately. cvedb.py:320
INFO cve_bin_tool.CVEDB - There are 251234 CVE entries in the database cvedb.py:386
INFO cve_bin_tool.CVEDB - There are 205244 CVE entries from NVD in the database cvedb.py:388
INFO cve_bin_tool.CVEDB - There are 25495 CVE entries from GAD in the database cvedb.py:388
INFO cve_bin_tool.CVEDB - There are 20495 CVE entries from REDHAT in the database cvedb.py:388
INFO cve_bin_tool - CVE database contains CVEs from National Vulnerability Database (NVD), Open Source Vulnerability Database (OSV), Gitlab Advisory Database (GAD) cli.py:915
and RedHat
INFO cve_bin_tool - CVE database last updated on 01 July 2025 at 09:53:14 cli.py:918
[09:57:13] INFO cve_bin_tool - The number of products to process from SBOM - 116 cli.py:1134
INFO cve_bin_tool - Overall CVE summary: cli.py:1181
INFO cve_bin_tool - There are 0 products with known CVEs detected cli.py:1182
INFO cve_bin_tool.OutputEngine - JSON report stored __init__.py:878