Scan a Containerized Project for Supply-Chain Signals
Scan a Dockerized project so Vibgrate's Build & Deploy Scanner detects containerization signals, review them in a report, and export a CycloneDX SBOM to ship with the image.
Containerized projects have an extra supply-chain layer: the image and its build configuration. Vibgrate's Build & Deploy Scanner detects containerization and infrastructure-as-code signals during a normal scan, and you can export an SBOM of the project's dependencies. This tutorial covers both for a Dockerized project.
Prerequisites
- A project with a Dockerfile
- Node.js installed
Steps
1. Install the CLI
npm i -g @vibgrate/cli
2. Scan the containerized project
From the project root that contains your Dockerfile:
vg
The scan runs the Build & Deploy Scanner, which detects CI/CD systems, containerization, and infrastructure-as-code in your repository.
3. Review build and deploy signals
Generate a report to see the detected signals:
vg report
Look for the build and deploy section, which confirms containerization was detected and surfaces related configuration signals.
4. Export the SBOM
Export a CycloneDX SBOM of the project's dependencies:
vg sbom export --format cyclonedx --out sbom.cdx.json
This inventories the application dependencies that go into your image.
5. Use the SBOM with your image
Ship sbom.cdx.json alongside the published image, or attach it to the release that builds the image, so consumers can audit what the container carries.
Verification
vg exits 0, the report shows containerization detected, and sbom.cdx.json lists the project dependencies.
Next Steps
Generate the SBOM in CI on every image build, and verify supply-chain posture before shipping by combining the scan, report, and SBOM in one gate.