SBOM: Everything you need to know for CKS exam

6 min read4 days ago

2025 is almost 10% complete, and there’s so much involvement going around the Kubernetes ecosystem and CNCF certifications. It’s amazing!

What’s more amazing is seeing the number of Kubestronaut aspirants grow every day. It’s a joy to see so many happy faces passing CKA. However, CKS still remains the ultimate test on the path to becoming a handful of global experts on Kubernetes and the cloud-native ecosystem and representing your country on the Kubestronaut global map.

Speaking of myself, becoming the first Kubestronaut (read it here) from Nepal feels great, and it’s been quite a journey with both highs and lows. From passing KCNA and KCSA in under an hour (read it here) to failing CKS on my first attempt by just 2% (read it here). But out of this experience came something wonderful: the CKS Handbook, through which I could share my experience and help others climb the Kubestronaut mountain. The book is now in 2nd Edition, updated to reflect the latest changes to the CKS curriculum.

With the October 2024 CKS exam program changes, SBOM is now one of the key topics under the Supply Chain Security domain for the CKS exam.

In this article, I will demystify SBOM and provide you with “enough” theoretical and practical knowledge to prepare for the exam; whether you’re eyeing CKS or just here to learn SBOM, you’re covered.

Supply chain fundamentals

Modern software apps are rarely built entirely from scratch. Thanks to the widespread availability of open-source software, companies can leverage third-party libraries, tools, and services to focus more on creating innovative applications and less on reinventing the wheel.

However, this reliance on external components comes with a significant risk: Security.

What is a supply chain attack?

A supply chain attack is where an attacker uses third-party dependencies or services to attack the target software product. These attacks are also called “value-chain” or “third-party” attacks.

By nature, supply chain attacks are indirect: they target the third-party dependencies that their ultimate targets rely on (often unknowingly). The Log4j and SolarWinds incidents highlight the importance of SBOMs in supply chain risk management.

Getting to know SBOM

SBOM stands for Software Bill Of Materials. The term originated in the manufacturing industry, where a “Bill of Materials” is a list of the raw materials, subcomponents, and parts required to manufacture an end product.

In the context of software, SBOM serves a similar purpose, it provides a detailed inventory of the components, libraries, and dependencies that make up a software product. It includes open-source and commercial third-party libraries, API calls, versions, and licenses.

SBOM helps organizations identify and manage supply chain security risks. From PCI DSS to HIPAA, many regulations now demand a clear record of software components. SBOM helps meet these requirements.

How SBOM is created

SBOM can be created manually or automatically. Manual creation involves gathering all software components, respective versions, licenses, and dependencies in a spreadsheet.

In today’s modern software projects, manual information gathering is not feasible; as such, SBOM tools exist to automate the process of generating this information. Usually, these tools are integrated as part of the CI/CD pipeline.

In the Kubernetes ecosystem, open-source SBOM tools include Trivy by Aquasec and Bom utility by Kubernetes project. The bom tool was actually created as part of the Kubernetes project to create SBOM for the Kubernetes project itself.

Understanding the SBOM format

SBOM information is represented in a structured format called SPDX (there are other formats, but knowing SPDX is enough for the CKS exam). The SPDX format is useful because it allows SBOM information to be represented in various file formats, including human-readable and machine-parsable formats such as JSON and YAML.

Playing with SBOM

I recommend using online playground labs like Iximiuz Labs or KillerCoda to learn. For this article, I’ll use iximiuz Labs so you can easily follow along.

Login to labs.iximiuz.com using your GitHub account.
Navigate to the Playgrounds tab and select the Kubernetes category.
Choose Kubernetes Client (Go) playground, and click Start Playground.

Now, paste the following commands to install bom and trivy CLI on the playground machine.

# Install bom
$ go install sigs.k8s.io/bom/cmd/bom@latest

# Install trivy
$ ark get trivy

And that’s it, let’s get our hands dirty using them.

Generate your first SBOM

The bom CLI supports creating SBOM from files, images, and docker archives (images in tarballs). To generate SBOM, we use bom generate command.

Generate SBOM for container image

Here, we are creating SBOM for the kube-apiserver image by pulling it directly from the container registry. The SPDX output is then saved as kube-apiserver.spdx.

$ bom generate --image registry.k8s.io/kube-apiserver:v1.21.0 --output=kube-apiserver.spdx

Similarly, you can use trivy to generate SBOM for container images. In the example below, we are generating SBOM for nginx:1.27 image using trivy image command.

$ trivy image --format spdx-json --output nginx.json nginx:1.27

View and query SBOM information

We can visualize SBOMs as well as query them for information.

# Visualize SBOM
$ bom document outline kube-apiserver.spdx

# Query for packages matching name "base", and show their versions
$ bom document query kube-apiserver.spdx "name:base" --fields "name,version"

Similarly, you can use trivy to scan SBOM for vulnerability using trivy sbom command and then use bom utility to query.

$ trivy sbom nginx.json
$ bom document query nginx.json 'name:lib' --fields "name,version,license"

In the above example, we are querying the document to find all packages with lib in their name and show their name, version, and licenses.

Generate SBOM for container image archive (tar)

In order to generate SBOM for the container image archive, we first need to pull the image and save the image as a tarball. You can use the standard pull/save command.

# Docker
$ docker pull registry.k8s.io/kube-apiserver:v1.21.0
$ docker save registry.k8s.io/kube-apiserver:v1.21.0 -o kube-apiserver.tar

# Podman
$ podman pull nginx:1.27
$ podman save nginx:1.27 -o nginx.tar

Once you have the tarball, use the — image-archive flag to generate SBOM out of it.

$ bom generate --image-archive nginx.tar -o nginx.spdx

Generate SBOM for container image archive

That’s all

Congratulations on coming this far. You are closer to cracking CKS than you think, one step at a time, one domain topic at a time.

As a thank you to the first 50 readers of this article, use the discount code SBOM20 to get 20% off of my CKS Handbook — 2nd Edition, updated to reflect the latest curriculum changes. — Puru