Linux Server Security is the current field-guide cluster.Linux • Security • Self-hosting • Practical tools
Self-Hosted Tools and Operations

SBOMs for Docker Compose: The Useful Minimum

For a small Compose deployment, the useful minimum is an inventory of services, image references, immutable digests, owners, and a repeatable SBOM artifact. The file alone does not patch anything; it gives you a map for deciding what needs attention.

What should the inventory contain?

Record the Compose service, image and digest, deployment location, maintainer, generation date, and the SBOM format. Keep the artifact with the release or in an inventory store, and define how a changed digest creates a review task.

SPDX and CycloneDX are common interchange formats. Choose one your tooling and downstream consumers can read consistently; format choice matters less than freshness and ownership.

What should you avoid claiming?

Do not call an SBOM complete if it excludes build inputs, runtime-loaded components, or vendor-managed layers. Do not treat a clean scan as proof of safe configuration. Review exposed ports, credentials, container users, and update policy separately.

This fits alongside Docker rootless and user-namespace trade-offs and a simple VPS service inventory.

Sources