With post-build scanning it's still possible to miss some detail, like changes done by the compiler or other tools used during building an image.
Only few sbom generation tools already support build-time generation (like Salus or pkgconfbomtool for example), but non of them is universal and complete to capture various docker builds.
The only option for the moment is implementing a build-time sbom generation tool that fits for building docker images and making it part of the build process, which is a fully valid and well-working option. Still, as there is already an experimental docker sbom feature, it would be great to have generic build time configuration.
Hello,
What would you like to be added:
Have you thought about adding build time support?
Why is this needed:
With post-build scanning it's still possible to miss some detail, like changes done by the compiler or other tools used during building an image.
Only few sbom generation tools already support build-time generation (like Salus or pkgconf bomtool for example), but non of them is universal and complete to capture various docker builds.
The only option for the moment is implementing a build-time sbom generation tool that fits for building docker images and making it part of the build process, which is a fully valid and well-working option. Still, as there is already an experimental
docker sbomfeature, it would be great to have generic build time configuration.