-
Notifications
You must be signed in to change notification settings - Fork 11
Quick Start
Welcome to the SBOMbastic Quick Start!
This guide will walk you through the following steps:
-
β Deploying the SBOMbastic stack in a Kubernetes cluster
-
π Running an automated image scan using a
Registrycustom resource -
π Querying generated
SBOMandVulnerabilityReportresources using real-world metadata -
π Viewing and inspecting the full contents of reports using
kubectl
Before deployment, you need to prepare the following:
- A Kubernetes cluster (you can simply run a kind cluster)
-
helminstalled locally -
kubectlinstalled locally -
cert-managerinstalled in the cluster
To install cert-manager, you can run the following commands:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespaceπ§ For more information on configuring cert-manager, please visit the cert-manager documentation
Follow these simple steps from your local machine to get SBOMbastic up and running:
SBOMbastic runs securely even under the strictest PSA settings. You can use the restricted profile as shown:
kubectl create namespace sbombastic
kubectl label namespace sbombastic pod-security.kubernetes.io/enforce=restrictedThese labels enforce the Restricted Pod Security Admission (PSA) profile, ensuring the stack runs under the most secure default settings.
π§ For more details about Pod Security Admission (PSA), please visit the PSA documentation.
helm repo add sbombastic https://rancher-sandbox.github.io/sbombastic
helm repo update
helm install sbombastic sbombastic/sbombastic \
--namespace sbombastic \
--f your-custom-value.yaml \
--waitSBOMbastic provides a default values.yaml file when installed via Helm. You can customize installation either:
- Providing your own values.yaml file
- Using the --set flag to override specific values directly in the command line.
π§ if you'd like to tailor the setup to your needs, the next section outlines the available configuration options.
The chart supports many customization, including:
- Image versions, replica counts, and log levels for each component
- Persistent Volume Claim (PVC) settings for the storage backend
- NATS configuration for JetStream and secure communication
π§ By default, SBOMbastic enables JetStream and secures communication using mutual TLS (mTLS). Unless you have specific requirements, there is no need to modify these defaults.
After installation, ensure all pods are running:
kubectl get pods -n sbombasticExample output:
sbombastic sbombastic-controller-7f568c88dc-bmjgs 1/1 Running
sbombastic sbombastic-controller-7f568c88dc-gcgbn 1/1 Running
sbombastic sbombastic-controller-7f568c88dc-q7hbh 1/1 Running
sbombastic sbombastic-nats-0 2/2 Running
sbombastic sbombastic-nats-1 2/2 Running
sbombastic sbombastic-nats-2 2/2 Running
sbombastic sbombastic-storage-5f596cd8f8-4t7z8 1/1 Running
sbombastic sbombastic-worker-d9d68c5c-5dtck 1/1 Running
sbombastic sbombastic-worker-d9d68c5c-qcp7n 1/1 Running
sbombastic sbombastic-worker-d9d68c5c-tlpgm 1/1 RunningAt this point, your SBOMBastic deployment is up and running successfully. You're now ready to begin scanning images and generating reports!
In this section, youβll learn how to create a registry source and trigger an automated scan.
Before running a scan, you need to define a Registry custom resource for SBOMbastic to fetch images.
apiVersion: sbombastic.rancher.io/v1alpha1
kind: Registry
metadata:
name: test-registry
namespace: default
spec:
uri: ghcr.io
repositories:
- rancher-sandbox/sbombastic/test-assets/golangkubectl apply -f registry.yamlOnce the scan completes, check the generated SBOMs and vulnerability reports:
kubectl get sbom -n default
kubectl get vulnerabilityreport -n defaultYou should see output like:
NAME CREATED AT
2ca3e0b033d523509544cb6f31c626af2a710d7dbcc15cb9dffced2e4634d69b 2025-06-10T10:26:38Z
...You've successfully created a real-world Registry resource and triggered an automated scan.
Next, we'll show you how to query and explore the generated SBOM and vulnerability reports using real-world examples.
In this section, youβll learn how to query SBOMbastic resources using metadata fields.
Weβll walk through three major steps:
-
Understand the supported query fields
-
Use
kubectl get --field-selectorto filter the target SBOM and VulnerabilityReport resources -
Use
kubectl describeto read the full details of a specific report
Both the SBOM and VulnerabilityReport custom resources share a common spec.imageMetadata field, which contains metadata about the scanned image.
These fields are useful when filtering resources with kubectl get --field-selector.
| Field | Type | Description |
|---|---|---|
registry |
string | Name of the Registry object. |
registryURI |
string | Full URI of the registry where the image is hosted. Example: registry-1.docker.io:5000. |
repository |
string | The image repository path. Example: rancher/sbombastic. |
tag |
string | The image tag. Example: latest, v1.2.3. |
platform |
string | The image platform, in OS/ARCH format. Example: linux/amd64. |
digest |
string | The SHA256 digest that uniquely identifies the image. |
π§ These fields are available on both
SBOMandVulnerabilityReportresources and are consistent across both kinds.
Now that you know the available fields, let's walk through a few practical examples.
Use the following command to list all VulnerabilityReport resources for images from the rancher-sandbox/sbombastic/test-assets/golang repository, built for the amd64 platform:
kubectl get vulnerabilityreport \
-n default \
--field-selector='spec.imageMetadata.repository=rancher-sandbox/sbombastic/test-assets/golang,spec.imageMetadata.platform=linux/amd64'Example output:
NAME CREATED AT
dfe56d8371e7df15a3dde25c33a78b84b79766de2ab5a5897032019c878b5932 2025-06-23T04:35:16Z
...If you're looking for the all SBOMs of images tagged 1.12-alpine and built for amd64, you can run:
kubectl get sbom \
-n default \
--field-selector='spec.imageMetadata.repository=rancher-sandbox/sbombastic/test-assets/golang,spec.imageMetadata.tag=1.12-alpine,spec.imageMetadata.platform=linux/amd64'Example output:
NAME CREATED AT
dfe56d8371e7df15a3dde25c33a78b84b79766de2ab5a5897032019c878b5932 2025-06-23T04:34:41ZOnce you identify a resource name from the output above, use kubectl describe to read the full contents:
kubectl describe sbom -n default <report-name>
kubectl describe vulnerabilityreport -n default <report-name>
β οΈ Warning: Make sure you have backed up any important data before proceeding!
# Example: delete the 'registries' CRD and all associated CRs
kubectl delete crd registries.sbombastic.rancher.ioAfter running the command, the Kubernetes will drop the CRD and all its CR objects.
With this approach, you can confidently query SBOMbastic resources using real-world metadata -- no need to memorize long hashes.
You've just completed the SBOMbastic quick start guide! In this document, you successfully:
- Set up SBOMbastic from scratch
- Created a
Registrycustom resource to automate image scanning - Used custom metadata fields to query
SBOMandVulnerabilityReportresources - Described and reviewed the details of the generated
SBOMandVulnerabilityReport