Consuming the SBOM
Every image ships with a Software Bill of Materials in two formats:
- CycloneDX 1.5 — the most widely-tooled supply-chain format.
- SPDX 2.3 — the format procurement teams usually ask for.
Both describe exactly which upstream packages and versions are in the image. No layer is hidden.
Get the SBOM
The SBOM is published as an OCI artifact next to the image, accessible with Cosign:
cosign download sbom images.rasid.cc/postgres:17 > postgres-17.sbom.jsonIt’s also available as a stable HTTPS download from the registry host:
curl -fsSL -o postgres-17.cdx.json \
https://images.rasid.cc/postgres/sbom-17.cdx.jsonDiff between releases
When the daily rebuild ships a new image, the SBOM diff is the smallest possible audit trail of what changed. Use cyclonedx-cli (Apache 2.0) or any CycloneDX-compatible tool:
cyclonedx-cli diff --output-format text postgres-17.cdx.json postgres-17-new.cdx.jsonWire into your supply-chain tools
CycloneDX and SPDX manifests work out of the box with most supply-chain tools — Grype, Trivy, Syft, OWASP Dependency-Track, GitLab DependencyScanning, and the like. Point them at the SBOM file and you get the same coverage as if they had scanned the live image, without pulling the image bytes.