Skip to content
Latchkey

trivy: Generate and Scan an SBOM

trivy generates an SBOM in CycloneDX or SPDX format and can also scan a previously generated SBOM for vulnerabilities.

An SBOM (software bill of materials) records exactly what is inside an image. Trivy both produces one during a scan and consumes one later, so you can decouple inventory from vulnerability matching.

What it does

trivy image --format cyclonedx (or spdx-json) writes an SBOM describing every package it found. The trivy sbom subcommand takes an existing SBOM file and matches its components against the vulnerability database, which lets you rescan an image as new CVEs are published without re-pulling it.

Common usage

Terminal
# generate an SBOM during the image scan
trivy image --format cyclonedx --output sbom.cdx.json myorg/app:ci
trivy image --format spdx-json --output sbom.spdx.json myorg/app:ci
# later, scan that SBOM for new CVEs
trivy sbom --severity HIGH,CRITICAL sbom.cdx.json

Options

FlagWhat it does
--format cyclonedxEmit a CycloneDX JSON SBOM
--format spdx-jsonEmit an SPDX JSON SBOM
--output <file>Write the SBOM to a file
trivy sbom <file>Scan an existing SBOM for vulnerabilities
--exit-code <n>Gate the SBOM scan on findings

In CI

Generate the SBOM once at build time, attach it to the image (for example with cosign attest), and rescan it on a schedule with trivy sbom so newly disclosed CVEs are caught without rebuilding. This keeps the heavy image pull out of the daily re-scan job.

Common errors in CI

"unable to detect the SBOM format" means the input file is not valid CycloneDX or SPDX, often a truncated or wrong-format file; regenerate it. An empty SBOM usually means trivy scanned an image with no detectable packages (a scratch or distroless image with statically linked binaries).

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →