SBOM

A Software Bill of Materials (SBOM) lists the packages and components in an image. SBOMs help you understand provenance, license obligations, and exposure to vulnerabilities.

Why SBOMs matter

Transparency for security audits and compliance
Faster triage when new CVEs are disclosed
Confidence in reproducible builds

Generate or fetch an SBOM

Use common tools to produce or download SBOMs:

# Generate SBOM locally in SPDX JSON format
syft quay.io/ramalama/ramalama:latest -o spdx-json > sbom.ramalama.spdx.json

# Or scan the CUDA image
syft quay.io/ramalama/cuda:latest -o spdx-json > sbom.cuda.spdx.json

If the image publishes signed attestations, you can retrieve them with cosign:

# Example (subject to publisher configuration)
cosign download sbom quay.io/ramalama/ramalama:latest | jq . > sbom.attestation.json

Best practices

Store SBOMs alongside release artifacts for traceability
Pair SBOMs with periodic vulnerability scans (e.g., Trivy/Grype)
Pin image tags (e.g., :1.2) and record the digest for immutability

Getting Started

Quick Start

Deploying

Artifact Types

Education

Why SBOMs matter

Generate or fetch an SBOM

Best practices

Getting Started

Quick Start

Deploying

Artifact Types

Education

​Why SBOMs matter

​Generate or fetch an SBOM

​Best practices

Why SBOMs matter

Generate or fetch an SBOM

Best practices