The latest release series of BuildKit, v0.11, introduces support for build-time attestations and SBOMs, allowing publishers to create images with records of how the image was built. In this blog post, we’ll discuss what attestations and SBOMs are, how to build images that contain SBOMs, and how to start analyzing the resulting data!
You can check that the new builder is configured correctly, and ensure it matches the buildkit v0.11 release series: $ docker buildx inspect | grep -i buildkit Buildkit: v0.11.1
Here’s how you view the generated SBOM using buildx imagetools: $ docker buildx imagetools inspect
If your target image is built for multiple architectures using the https://docs.docker.com/engine/reference/commandline/buildx_build/#platform, then you’ll need a slightly different syntax to extract the SBOM attestation: $ docker buildx imagetools inspect