Tool integration

docker-sbom Integration Guide

Docker built-in SBOM generation using the docker sbom command

Get a Free API Key

Generate SBOMs from Docker container images using the docker sbom command and upload to Vulnetix for supply chain tracking.

CLI toolCycloneDXSPDX

Install & scan

$ # docker sbom is available in Docker Engine 20.10+
docker --version
# Docker SBOM uses Syft under the hood
$ # Generate CycloneDX SBOM from a container image
docker sbom myimage:latest --format cyclonedx-json > docker-sbom.cdx.json

# Or SPDX format
docker sbom myimage:latest --format spdx-json > docker-sbom.spdx.json

Run docker-sbom in CI

Scan on every push and upload the results to Vulnetix:

- name: Generate SBOM
  run: docker sbom myapp:${{ github.sha }} --format cyclonedx-json > docker-sbom.cdx.json

- name: Upload to Vulnetix
  run: vulnetix upload --file docker-sbom.cdx.json

How Vulnetix compares — better together

Vulnetix does not replace docker-sbom. Keep running it. Vulnetix sits on top of docker-sbom — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

docker-sbom is strongest at its core category and also carries features in Container & Image Scanning, SCA — just like Vulnetix spans categories.

CapabilityVulnetixdocker-sbom
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph~ Enumerates OS + language dependencies as an inventory but does NOT match them to CVEs
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, DockerfileCatalogs container image contents layer-by-layer (Syft engine)
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signableGenerates image SBOMs in SPDX/CycloneDX/syft-json; core purpose of the command
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What docker-sbom does well

Where Vulnetix adds to it: docker sbom (now deprecated in favour of docker scout sbom) produces a component inventory but does no vulnerability matching, prioritisation, or policy. Vulnetix ingests that CycloneDX/SPDX SBOM and layers cross-scanner dedup, exploit-intel prioritisation (EPSS/KEV/LEV), reachability, versioned VEX and autofix on top; Vulnetix also emits CycloneDX 1.7 + SPDX 2.3 natively, so it complements rather than replaces this generator.

No migration, no rip-and-replace. docker-sbom keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise docker-sbom results in Vulnetix

Upload docker-sbom CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

docker-sbom documentation ↗

Wire docker-sbom into your CI/CD pipeline →