Running the scanner in SBOM mode

Support

Support for business applications

Kaspersky Container Security

Integration with CI/CD

Running the scanner in SBOM mode

December 4, 2024

ID 264539

Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in SBOM mode. In this case, the solution scans a specially created SBOM file instead of a TAR archive.

The advantages of using SBOM are the following:

Less resources required to scan images for vulnerabilities.
Reduced scanning time due to automatic verification of correct operation and proper use of solution components.
Capability to scan all existing vulnerabilities in an image without exceptions.
High reliability of scanning results.

In CI/CD, the scanning process consists of two stages: receiving an SBOM file and scanning an image based on the received SBOM file. The image scanning process is implemented as follows:

The CI/CD scanner generates a list of image components and sends the generated artifact to Kaspersky Container Security.
Using the image handler, the solution forwards the received SBOM file to the scanner for scanning.

For subsequent scanning, Kaspersky Container Security generates an SBOM file in the CycloneDX format. You can also generate an artifact to download within the CI/CD process in the SPDX format.

To generate an SBOM file in the .SPDX format when the scanner operates with SBOM creation:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --sbom-json --spdx --stdout > example.spdx

where:

<--sbom-json> indicates the creation of an SBOM file.

<--spdx> indicates that an artifact is generated in the .SPDX format.

<--stdout > example.spdx> indicates data output to a file in the .SPDX format.

To generate an SBOM file in the .JSON format when the scanner operates with SBOM creation:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --sbom-json --stdout > example.json

where:

<--sbom-json> indicates the creation of an SBOM file.

<--stdout > example.json> indicates data output to a file in .JSON format.

The resulting file (for example, example.json) is specified as an artifact: artifacts: paths:

Scanning using an SBOM file is only applicable when scanning an image for vulnerabilities. If your CI/CD process requires scanning for other risks and threats (such as misconfigurations), you must separately run the corresponding scanning and add its results to the image handler in addition to the SBOM file.

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.