Recently, Docker and Anchore worked together to deliver a new operation within Docker Desktop for generating a container image software bill of materials (SBOM) using native Docker tools. The core functionality for generating an SBOM comes from Anchore’s open-source Syft project, which can be accessed as a command line tool or used as a library for other tools to integrate with (as is the case with our collaboration with Docker).
Anchore provides a number of open-source and commercially available software tools for managing SBOMs and providing security/compliance insights and enforcement capabilities against those generated SBOMs. Our general approach to securing modern software development systems embraces the user’s automation and development flexibility objectives, handling large and dynamic software production flows. To facilitate this, the Anchore Enterprise platform effectively conforms to a pattern where:
- Existing software development infrastructure is instrumented with light-weight tooling that is pointed at a software element (source code checkout, container image, etc.) to generate an SBOM, and then
- The tooling imports that SBOM into a deployment of Anchore Enterprise which stores the SBOM for further processing, at which point the full capabilities of Anchore Enterprise can be applied to the software SBOM.
The Anchore Enterprise client that implements the SBOM generation and import steps is named ‘anchorectl’, a lightweight CLI tool that is included with the Anchore Enterprise platform.
As part of our ongoing commitment to support integration with Docker’s native tooling and approach to SBOM generation, we’ve recently released a new version of anchorectl, available to all Anchore Enterprise users, with added support for importing an SBOM directly from new ‘docker sbom’ command. With this capability, users who have access to an existing Anchore Enterprise deployment and prefer to use native ‘docker’ commands in their development environments can easily connect the two systems in a typically UNIX-like fashion. The following example shows an abstract ‘checkout, build container image, import image sbom to Anchore Enterprise’ using this new interface.
# git clone <somerepo>
# docker build -t <someimage> -f <somerepo>/Dockerfile <somerepo>/
# docker sbom --format syft-json <someimage> | anchorectl sbom upload -
With this simple process invoked either manually or scripted as part of an automated build, users can be assured that new container image SBOMs are being imported to their Anchore Enterprise deployment, so that the full capabilities of Anchore Enterprise - vulnerability scanning (on demand, historical), compliance checks using Anchore’s fully policy subsystem, SBOM drift detection, global reporting and notifications, and many others - can be applied.
Conclusion
As we continue to explore new areas for building SBOM generation and consumption capabilities in collaboration with the Docker community, we remain committed to ensuring that all of Anchore’s products, open-source tools and partnership collaboration efforts are interoperable. As we move forward, we’re looking forward to moving SBOM generation capabilities even closer to the ‘build’ process, continuing support for open standards atop the existing native, SPDX, CycloneDX and other formats, and providing integrations with a wide variety of development environments.