Entropy Data

SBOM

Self-hosted

A Software Bill of Materials (SBOM) is a detailed inventory or list of all the components, libraries, dependencies, and software used within a specific application or system. It provides critical transparency into the makeup of software.

As a fundamental security concept, we create an SBOM (Software Bill of Material) for the software, including all libraries and Docker base image, and attach it to the provided container. You can extract the SBOM from the container and integrate the SBOM into your internal security check procedures, if applicable.

View SBOM

You can use docker directly to view the SBOM to view all the components included in the application. It supports different formats.

docker sbom entropy-data/entropy-data-ce:latest
docker sbom entropy-data/entropy-data-ce:latest --format spdx-json
docker sbom entropy-data/entropy-data-ce:latest --format cyclonedx-xml

Trivy

Among other tools, we use Trivy to automatically identify vulnerabilities, misconfigurations and leaked secrets.

Export SBOM

Export as SPDX JSON format with trivy or docker:

# export the sbom from the container image
trivy image --format spdx-json --output sbom.json entropy-data/entropy-data-ce:latest

Scan the exported SBOM

# scan the SBOM for vulnerabilities
trivy sbom --scanners vulnerability,misconfig,secret sbom.json

Scan Container image directly

# scan the container image for vulnerabilities, misconfig, secrets
trivy image --scanners vulnerability,misconfig,secret entropy-data/entropy-data-ce:latest

Configure Trivy to use private repository

# setup Container Registry Authentication
export TRIVY_USERNAME=...
export TRIVY_PASSWORD=...