We are excited to introduce our new Attestations feature, which allows you to generate a Software Bill of Materials (SBOM) for every build and easily download it from your build detail view.
Generating an SBOM with Depot
We've added the ability to generate a Software Bill of Material (SBOM) for any
depot build or
depot bake command via our
depot CLI. Add the
-sbom=true flag to your build command to generate one for your build.
depot build --sbom=true .
depot bake --sbom=true -f docker-bake.hcl
We've also made accessing the SBOMs generated by your build easier. You can specify a directory to write the SBOM(s) to with the
depot build --sbom=true --sbom-dir=sboms .
depot bake --sbom=true --sbom-dir=sboms -f docker-bake.hcl
You can also access the all SBOMs generated by your build in the new Attestations view as part of our new build insights, where you can download them anytime.
Here, we see that this build was executed via a
depot bake command and therefore, we have six SBOMs, one for each target and platform architecture:
Generating SBOMs and uploading them to GitHub
With either of our actions, you can specify the
sbom parameter to generate a Software Bill of Materials during the build and the
sbom-dir parameter to output the generated SBOMs to a specified directory.
From there, you can upload the SBOMs as artifacts via
actions/upload-artifact, or you can also submit them to GitHub's dependency submission API via
advanced-security/spdx-dependency-submission-action. This allows you to receive Dependabot alerts for vulnerabilities in the contents of the built image itself!
- name: Checkout repo
- name: Set up Depot CLI
- name: Build an image with Software Bill of Materials (SBOM)
- name: upload SBOM directory as a build artifact
- name: upload spdx dependency
Note: When you upload an SBOM to GitHub's dependency submission API, it will be uploaded as a dependency manifest. So, you will receive Dependabot alerts for the packages included in the SBOM.
Generate an SBOM today
We're excited about incorporating SBOMs and future attestations into Depot, especially considering their growing importance in supply-chain security.
We'd love to hear your feedback and ideas on how we can make this even better. You can head to our Discord Community and let us know your thoughts.
If you're new to Depot, you can sign up for free and get up to 40x faster Docker builds in just a few minutes.