Docker Advocates Build-Time SBOMs Over Post-Build Scanning for Container Security
Docker published a guide on June 25 outlining best practices for generating Software Bills of Materials (SBOMs) in container workflows. The guide argues that SBOMs generated at build time using BuildKit attestations are more reliable than those produced by scanning finished images after the fact, as they capture the full resolved dependency tree. Post-build scanners, while useful for third-party images, can miss statically linked binaries, vendored dependencies, and packages from intermediate build stages. Docker recommends attaching signed SBOM attestations directly to image digests and enforcing their presence as a deployment gate in CI/CD pipelines. The approach is increasingly relevant as regulations like US Executive Order 14028 and the EU Cyber Resilience Act require verifiable SBOMs for software sold to government and commercial markets.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in