SBOM
Gain visibility into your container images and the software packages they include. The SBOM integration scans images for software components and known vulnerabilities, enabling you to query, monitor, and alert on changes in your software supply chain.
- Installation
- Data Model
- Types
Installation
For this integration, you will need access to your container registry and a list of container images that you want to scan for SBOM (Software Bill of Materials) ingestion. If your registry is private, you will also need to provide authentication credentials.
Configuration in JupiterOne
To install the SBOM integration in JupiterOne, navigate to the Integrations tab and select SBOM. Click New Instance to begin configuring your integration.
Creating a configuration requires the following:
- The Registry URL, such as
ghcr.ioorghcr.io/jupiterone, which specifies the location of your container images. - A list of Images to scan. Each image should be provided in the format
<image>:<tag>. If no tag is provided, the integration will default to using the latest tag.
If your container registry is private, you must also provide the following credentials:
- Registry Username – The username for accessing the container registry.
- Registry Password – The corresponding password. This field is encrypted and stored securely.
Click Create once all required values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Container Image | sbom_container_image | Image |
| Software Package | sbom_software_package | CodeModule |
| Vulnerability | sbom_vulnerability | Finding, Vulnerability |
| Vulnerability | sbom_vulnerability | Finding |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
sbom_container_image | CONTAINS | sbom_software_package |
sbom_software_package | USES | sbom_software_package |
sbom_software_package | HAS | sbom_vulnerability |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
sbom_container_image | IS | image | FORWARD |
Sbom Container Image
sbom_container_image inherits from Image
| Property | Type | Description | Specifications |
|---|---|---|---|
digest * | string | ||
imagePlatform | string | ||
imageTag * | string | ||
imageType * | string | ||
repository | string | ||
size | number | ||
version | string |
Sbom Software Package
sbom_software_package inherits from CodeModule
| Property | Type | Description | Specifications |
|---|---|---|---|
cpe * | array | null | ||
license * | array | null | ||
modulePackageManager * | string | ||
purl | string | ||
repositoryType | string | ||
size | number | ||
type | string | ||
version | string |
Sbom Vulnerability
sbom_vulnerability inherits from Finding, Vulnerability
| Property | Type | Description | Specifications |
|---|---|---|---|
fixAvailable | boolean | ||
fixedInVersion | string | ||
publishedOn | number |
Sbom Vulnerability
sbom_vulnerability inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
fixAvailable | boolean | ||
fixedInVersion | string | ||
publishedOn | number |