> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ramalama.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SBOM

> Retrieve and use SBOMs for RamaLama images.

A Software Bill of Materials (SBOM) lists the packages and components in an image.
SBOMs help you understand provenance, license obligations, and exposure to vulnerabilities.

## Why SBOMs matter

* Transparency for security audits and compliance
* Faster triage when new CVEs are disclosed
* Confidence in reproducible builds

## Generate or fetch an SBOM

Use common tools to produce or download SBOMs:

```bash theme={"system"}
# Generate SBOM locally in SPDX JSON format
syft quay.io/ramalama/ramalama:latest -o spdx-json > sbom.ramalama.spdx.json

# Or scan the CUDA image
syft quay.io/ramalama/cuda:latest -o spdx-json > sbom.cuda.spdx.json
```

If the image publishes signed attestations, you can retrieve them with `cosign`:

```bash theme={"system"}
# Example (subject to publisher configuration)
cosign download sbom quay.io/ramalama/ramalama:latest | jq . > sbom.attestation.json
```

## Best practices

* Store SBOMs alongside release artifacts for traceability
* Pair SBOMs with periodic vulnerability scans (e.g., Trivy/Grype)
* Pin image tags (e.g., `:1.2`) and record the digest for immutability