Super SBOMs: See exactly what's inside
Chainguard Containers ship with Software Bills of Materials (SBOMs) that now include detailed information about binaries and the libraries they contain. When you pull an SBOM, you'll see not just installed packages and their sources, but also the Go modules, Java dependencies, and other artifact ecosystems included in each binary. We're also introducing CycloneDX format support alongside existing SPDX SBOMs, giving teams flexibility to consume this richer data in whichever format fits their tooling.
When a CVE hits a widely used library, security teams need to know: "Are we affected?" Answering that requires knowing not just which packages are installed, but what's inside them. A Go binary might bundle dozens of modules. A Java application might embed hundreds of dependencies. Without visibility into those embedded components, it can be difficult to determine whether a given vulnerability is actually present in a running application. The faster you can trace from vulnerability to specific binary, the faster you can respond. The same visibility matters for license compliance. Knowing what licenses apply to components helps teams stay compliant.
What's new
We've extended our build pipeline to detect and catalog components during the Melange build process, which builds Wolfi packages from source to power Chainguard Containers. We now capture:
Name and version for each detected component
Package URLs (purls) for programmatic identification
CONTAINS and DEPENDENCY_OF relationships per SPDX 2.3
These relationships let you trace which binary contains which library. This makes it possible to move from a vulnerable component to the exact binary that includes it, rather than treating the image as a black box. When a scanner flags a vulnerable Go module, this data lets you pinpoint the specific binary that needs attention.
For example, this changelog shows a recent image rebuild that updated a single package (glibc-locale-posix), alongside a prior rebuild that updated multiple components. The corresponding SBOM exposes the binaries and embedded libraries contained within each package in the image.
SBOM format support now includes CycloneDX
In addition to SPDX, Chainguard Containers now support CycloneDX SBOMs. CycloneDX is a widely adopted standard, particularly in security and compliance workflows, and provides teams with another interoperable way to consume SBOM data alongside existing formats.
CycloneDX SBOMs are published as attestations alongside existing SPDX SBOMs. The underlying data model remains the same, ensuring equivalent fidelity across formats rather than a reduced or lossy translation.
You can retrieve CycloneDX SBOMs using cosign with the CycloneDX predicate type, following the same workflow you already use for other attestations. No new distribution mechanisms are required.
cosign download attestation
--predicate-type cyclonedx
$(crane digest --platform linux/amd64 --full-ref cgr.dev/$YOUR_ORG_NAME/keycloak)
| jq -r '.payload'
| base64 -d
| jq -r '.predicate'
CycloneDX SBOMs are generated for new customer image builds and rebuilds, including Custom Assembly images.
How it works
We generate this data as part of our Melange-based package builds. Detected components become part of the package SBOM, which flows into the image SBOM when apko assembles the final container. This means:
SBOM data comes from the same build that produces the package
No separate scanning step or additional tooling required
Package-level details automatically appear in image SBOMs
SPDX and CycloneDX SBOMs are generated from the same source of truth
Available now for Chainguard Containers
Binary and library component data are included with the SBOMs that ship with all Chainguard Containers. CycloneDX SBOMs are available today via cosign download, with console UI support coming soon. Existing SPDX-based workflows continue to work without change.
We're rolling this out across all packages, giving you deeper visibility without any changes to how you retrieve or consume SBOM data. Get in touch with our team to learn more.
Share this article
Related articles
- product
Security baked into your software supply chain: The combined benefit of JFrog and Chainguard
Mandy Hubbard, Senior Technical Product Marketing Manager, and Dafna Zahger Bernanka, JFrog Director of Product Marketing, Security
- product
Introducing automatic, short-lived credentials for Chainguard Libraries for Python
Jason Hall, Principal Software Engineer, and Ross Gordon, Staff Product Marketing Manager
- product
Unwrapping Ruby 4.0: Chainguard delivers a gem just in time for Boxing Day
Sergio Durigan Junior, Senior Software Engineer
- product
Custom Certificates are now available in Custom Assembly
Tony Camp, Staff Product Manager
- product
The Engineer’s Never-Gift Guide: Avoiding the nightmare before Christmas
Sam Katzen, Staff Product Marketing Manager
- product
Meet Chainguard MCPs: Bringing supply chain security to the AI era
Erin Glass, Staff Product Manager