Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ramalama.com/llms.txt

Use this file to discover all available pages before exploring further.

A Software Bill of Materials (SBOM) lists the packages and components in an image. SBOMs help you understand provenance, license obligations, and exposure to vulnerabilities.

Why SBOMs matter

  • Transparency for security audits and compliance
  • Faster triage when new CVEs are disclosed
  • Confidence in reproducible builds

Generate or fetch an SBOM

Use common tools to produce or download SBOMs: 
# Generate SBOM locally in SPDX JSON format
syft quay.io/ramalama/ramalama:latest -o spdx-json > sbom.ramalama.spdx.json

# Or scan the CUDA image
syft quay.io/ramalama/cuda:latest -o spdx-json > sbom.cuda.spdx.json
If the image publishes signed attestations, you can retrieve them with cosign: 
# Example (subject to publisher configuration)
cosign download sbom quay.io/ramalama/ramalama:latest | jq . > sbom.attestation.json

Best practices

  • Store SBOMs alongside release artifacts for traceability
  • Pair SBOMs with periodic vulnerability scans (e.g., Trivy/Grype)
  • Pin image tags (e.g., :1.2) and record the digest for immutability