This GitHub Actions workflow runs a specified command on a set of Docker images and generates Software Bill of Materials (SBOMs) in CycloneDX format for each image. The workflow is scheduled to run every night at midnight UTC.
| Image | SBOMs |
|---|---|
| alpine |  |
| busybox | |
| docker | |
| hello-world | |
| httpd | |
| memcached | |
| mongo | |
| mysql | |
| nginx | |
| node | |
| postgres | |
| python | |
| rabbitmq | |
| redis | |
| ubuntu | |
All SBOMs generated in the pipeline above are signed and you can verify the download the SBOMs as follows:
gh attestation verify path/to/downloaded-sbom.json --owner sbomifyTo get the top 15 (official) Docker Hub repositories, use the following command:
curl -s "https://hub.docker.com/v2/repositories/library/?page_size=100" | \
jq -r '.results[] | "\(.pull_count) \(.name)"' | \
sort -nr | \
head -n 15