This document describes how to create and store a software bill of materials (SBOM) listing the dependencies in your container images.
When you store container images in Artifact Registry and scan them for vulnerabilities with Artifact Analysis, you can then generate an SBOM using the Google Cloud CLI.
For information on using vulnerability scanning, see Automatic scanning and Pricing.
Artifact Analysis stores SBOMs in Cloud Storage. For more information on Cloud Storage costs, see Pricing.
Before you begin
- 
    
      
        
        Sign in to your Google Account.If you don't already have one, sign up for a new account. 
- 
    
    
      In the Google Cloud console, on the project selector page, select or create a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 
- 
  
    Verify that billing is enabled for your Google Cloud project. 
- 
  
  
    
      Enable the Artifact Registry, Container Analysis, Container Scanning APIs. Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
- 
      Install the Google Cloud CLI. 
- 
          If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. 
- 
        To initialize the gcloud CLI, run the following command: gcloud init
- 
    
    
      In the Google Cloud console, on the project selector page, select or create a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 
- 
  
    Verify that billing is enabled for your Google Cloud project. 
- 
  
  
    
      Enable the Artifact Registry, Container Analysis, Container Scanning APIs. Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
- 
      Install the Google Cloud CLI. 
- 
          If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. 
- 
        To initialize the gcloud CLI, run the following command: gcloud init
- Create a Docker repository in Artifact Registry and push a container image to the repository. If you are not familiar with Artifact Registry, see the Docker quickstart.
Required roles
    
      To get the permissions that
      you need to manage Cloud Storage buckets and upload SBOM files,
    
      ask your administrator to grant you the
    
  
  
    
      Storage Admin  (roles/storage.admin)
     IAM role on the project.
  
  
  
  
  For more information about granting roles, see Manage access to projects, folders, and organizations.
  
  
You might also be able to get the required permissions through custom roles or other predefined roles.
Generate an SBOM file
To generate an SBOM file, use the following command:
gcloud artifacts sbom export --uri=URI
Where
- URI is the Artifact Registry image URI that the SBOM file
describes, similar to us-east1-docker.pkg.dev/my-image-repo/my-image. Images can be in either tag format, or digest format. Images provided in tag format will be resolved into digest format.
Artifact Analysis stores your SBOM in Cloud Storage.
You can view SBOMs by using the Google Cloud console or the gcloud CLI. If you want to locate the Cloud Storage bucket that contains your SBOMs, you must search for SBOMs using the gcloud CLI.
Generate an SBOM without vulnerability scanning
If you want to generate an SBOM, but you don't want ongoing vulnerability scanning for your project, you can still export an SBOM if you enable the Container Scanning API before you push the image to Artifact Registry. After your image is pushed to Artifact Registry, and you have exported an SBOM, you must disable the Container Scanning API to prevent being billed for further vulnerability scanning.