Generating an SBOM for Wallarm Docker Images¶

The Software Bill of Materials (SBOM) is an inventory that lists the software components and their dependencies in an application, including versions, licenses, and vulnerabilities. This article guides you on generating SBOM for Wallarm Docker images.

You may need to obtain the SBOM for Wallarm Docker Images to assess and mitigate potential security risks associated with the dependencies used in the images. The SBOM offers transparency into the software components and helps to ensure compliance.

The list of Wallarm Docker images¶

Below is the list of signed Wallarm Docker images. You can generate SBOM for any tag of these images.

• wallarm/node 4.8.0-1 and above: NGINX-based Docker image that includes all Wallarm modules, serving as a standalone artifact for Wallarm deployment

  Starting from version 6.6.0, SBOM is included by default.

• All Docker images used by the Helm chart for NGINX-based Ingress Controller deployment:

  • wallarm/ingress-controller
  • wallarm/node-helpers

• All Docker images used by the Helm chart for Sidecar deployment:

  • wallarm/sidecar
  • wallarm/sidecar-controller
  • wallarm/node-helpers

• wallarm/node-native-aio: the Docker image for the self-hosted Native Node deployment for Wallarm connectors

SBOM generation for wallarm/node:6.6.0 and higher¶

Starting from version 6.6.0, the wallarm/node Docker image includes an SBOM by default.

You can inspect or export it directly:

docker sbom wallarm/node:6.6.0

Docker displays the SBOM in SPDX format.

To save it to a file, use:

docker sbom wallarm/node:6.6.0 --output sbom.spdx

SBOM generation with syft¶

To generate an SBOM for Wallarm Docker images manually, you can use the syft CLI utility.

Requirements¶

Before generating an SBOM, install syft on your local machine or within your CI/CD pipeline.

SBOM generation procedure¶

To generate an SBOM for a Docker image, use the following command, replacing the specified image tag with the desired one:

syft wallarm/ingress-controller:4.6.2-1

By default, syft returns the SBOM in text format. You can also generate it in other formats like CycloneDX, SPDX, and save the output to a file, e.g.:

syft wallarm/ingress-controller:4.6.2-1 --output spdx-json >> syft_json_sbom.spdx
syft wallarm/ingress-controller:4.6.2-1 --output cyclonedx-json >> cyclonedx_json_sbom.cyclonedx

Verifying image authenticity and SBOM integrity¶

After generating the SBOM, you can leverage it within your CI/CD pipeline for various actions, such as vulnerability scanning, license compliance checks, security audits, or generating reports.

To verify that all dependencies truly belong to Wallarm, you can simply check the image's signature as a whole. By digitally signing our images, we guarantee that the signed image is indeed ours. Consequently, this assurance extends to the SBOM, as it will be associated with Wallarm's verified image.

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send