I have been using Debricked for my pet projects for a while now and have been liking it a lot. However, I also have a few custom Docker images which I wanted to scan using Debricked. While there doesn’t seem to any official Docker image support (yet?), I figured that I could try to generate a CycloneDX report using Docker’s SBOM plugin (https://github.com/docker/sbom-cli-plugin) and then import that.
Said and done, I ran the plugin with flags --format cyclonedx-json --output imagename.sbom.json, the CLI automatically picked up the CycloneDX reports and after a few seconds I got both license and vulnerabilities back!
TLDR: To scan Docker images with Debricked, you need to do the following:
- Install and run the Docker SBOM CLI plugin, https://github.com/docker/sbom-cli-plugin, in order to generate a CycloneDX report. Make sure to change the format to CycloneDX, e.g.:
docker sbom username/imagename:latest --format cyclonedx-json --output imagename.sbom.json
- Run Debricked CLI, https://github.com/debricked/cli, and it will automatically pick up the CycloneDX report files.
- Profit! See results in pipeline and Debricked UI.