|
<< Click to Display Table of Contents >> Raynet One > 2026.2 > User Guide > Workspaces in the sidebar menu > Asset Management > Containers Docker Container SBOM Scan |
As part of the Docker container inventory, Raynet One automatically performs a Software Bill of Materials (SBOM) scan on each discovered Docker image. This scan provides a detailed inventory of the software packages contained within each image, giving you full visibility into the software components of your containerized environment.
The SBOM scan is conditional: it runs automatically if the required tooling is present on the runner or host machine. If the prerequisite is not met, the scan is gracefully skipped without affecting other parts of the inventory.
A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of the software components and dependencies included in a software artifact — in this case, a Docker image. SBOMs are used to assess license compliance, identify known vulnerabilities, and maintain transparency about the software supply chain.
Raynet One collects SBOM data in CycloneDX JSON format, an industry-standard specification for describing software components and their relationships.
For the automatic SBOM scan to execute, the following requirement must be satisfied on the runner or host machine performing the Docker inventory:
•Docker Scout CLI plugin — The Docker Scout plugin must be installed and accessible on the runner host. This plugin provides the docker sbom command used by Raynet One to generate the SBOM output for each image.
Docker Scout is available as part of Docker Desktop or can be installed separately as a standalone Docker CLI plugin. Refer to the official Docker documentation for installation instructions.
To confirm that the Docker Scout plugin is available on the runner host, run the following command on the host machine:
docker sbom --help
If the command is recognized and displays usage information, the prerequisite is met. If the command is not found, the Docker Scout plugin is not installed, and SBOM scans will be skipped.
The SBOM scan is performed automatically during each Docker inventory run. No additional configuration is required beyond the Docker Scout plugin being present.
For each Docker image discovered on the scanned host, Raynet One executes an SBOM generation command via the runner's remote connection to the target machine. The scan is performed per image and uses the full image name including tag (for example, nginx:latest).
The process operates as follows:
1.During a Docker inventory run, Raynet One collects the list of all Docker images on the target host.
2.For each image, an SBOM scan command is issued remotely via the runner's connection.
3.The output is collected in CycloneDX JSON format and stored as part of the inventory result.
4.The individual software components are extracted from the CycloneDX output and made available in the Raynet One web interface.
For each software component identified within a Docker image, the following attributes are collected:
•Name — The name of the software package.
•Version — The version of the package as reported by the SBOM.
•Type — The component type (for example, library, application, or operating system).
•PURL — Package URL, a universal identifier for the package across package managers and ecosystems.
•CPE — Common Platform Enumeration identifier, used for vulnerability correlation.
•Licenses — License identifiers associated with the package (for example, MIT, Apache-2.0).
•Image — The name of the Docker image the component belongs to.
If the Docker Scout plugin is not installed on the runner or host machine, Raynet One detects this condition automatically. When the docker sbom command is not found (indicated by exit code 127), the SBOM scanning is disabled for the entire inventory run on that host. All other Docker inventory data — such as containers, images, and service details — continues to be collected normally.
An issue entry is recorded in the inventory run results to indicate that SBOM scanning was not available. This entry can be reviewed in the job details within Raynet One to identify runner hosts where the Docker Scout plugin needs to be installed.
If an SBOM scan fails for an individual image (for example, due to an image that cannot be analyzed), the failure is recorded as an issue for that specific image and scanning continues for the remaining images.
SBOM scan results are accessible in the Raynet One web interface as part of the container inventory. Navigate to Containers in the sidebar, then open the details view of a Docker image. The SBOM data for that image is listed there, showing all discovered software components along with their properties.
The full SBOM report in CycloneDX JSON format can also be downloaded from the Docker image details view.