trivy: Generate and Scan an SBOM
trivy generates an SBOM in CycloneDX or SPDX format and can also scan a previously generated SBOM for vulnerabilities.
An SBOM (software bill of materials) records exactly what is inside an image. Trivy both produces one during a scan and consumes one later, so you can decouple inventory from vulnerability matching.
What it does
trivy image --format cyclonedx (or spdx-json) writes an SBOM describing every package it found. The trivy sbom subcommand takes an existing SBOM file and matches its components against the vulnerability database, which lets you rescan an image as new CVEs are published without re-pulling it.
Common usage
# generate an SBOM during the image scan
trivy image --format cyclonedx --output sbom.cdx.json myorg/app:ci
trivy image --format spdx-json --output sbom.spdx.json myorg/app:ci
# later, scan that SBOM for new CVEs
trivy sbom --severity HIGH,CRITICAL sbom.cdx.jsonOptions
| Flag | What it does |
|---|---|
| --format cyclonedx | Emit a CycloneDX JSON SBOM |
| --format spdx-json | Emit an SPDX JSON SBOM |
| --output <file> | Write the SBOM to a file |
| trivy sbom <file> | Scan an existing SBOM for vulnerabilities |
| --exit-code <n> | Gate the SBOM scan on findings |
In CI
Generate the SBOM once at build time, attach it to the image (for example with cosign attest), and rescan it on a schedule with trivy sbom so newly disclosed CVEs are caught without rebuilding. This keeps the heavy image pull out of the daily re-scan job.
Common errors in CI
"unable to detect the SBOM format" means the input file is not valid CycloneDX or SPDX, often a truncated or wrong-format file; regenerate it. An empty SBOM usually means trivy scanned an image with no detectable packages (a scratch or distroless image with statically linked binaries).