Skip to main content

rad-sbom

Overview

The rad-sbom plugin generates Software Bill of Materials (SBOM) for container images running in your Kubernetes cluster. SBOMs provide detailed information about the software components, dependencies, and packages contained within container images, enabling better security visibility and compliance tracking.

How It Works

The rad-sbom plugin operates as a Kubernetes controller that:
  • Scans Images: Automatically discovers and scans container images in your cluster
  • Generates SBOMs: Creates detailed SBOMs in SPDX-JSON format
  • Stores Results: Sends SBOM data to RAD Security for analysis and storage
  • Updates Regularly: Rechecks images at configurable intervals

Configuration

The RAD SBOM component has a set of flags that can be modified if needed. To modify the value from the default, add the name as an environment variable and change the value to the desired value.
Environment VariableDefault ValueDescription
CONTROLLER_PORT9443The port the controller endpoints bind to
ENABLE_LEADER_ELECTIONtrueIf true, enables leader election for the controller manager
HEALTH_PROBE_PORT8081The port the health probe endpoint binds to
METRICS_PORT8080The port the metrics endpoint binds to
RECHECK_INTERVAL24hThe interval at which the image SBOMs are rechecked
SBOM_FORMATspdx-jsonThe format of the SBOM (Software Bill of Materials)
SBOM_SCOPESquashedThe scope of layers to catalog in the SBOM
IMAGE_PULL_SECRETS[] (empty)A list of image pull secrets for accessing private registries

Resource Requirements

For complex images, it may be necessary to adjust the memory limits to accommodate the increased resource demand. To ensure smooth operation during SBOM generation, users should review and, if needed, increase the memory allocations for the rad-sbom plugin within their Kubernetes configurations.

SBOM Formats

The plugin supports multiple SBOM formats:
  • SPDX-JSON: Standard SPDX format in JSON
  • SPDX-TAG: Standard SPDX format in tag-value
  • CycloneDX: Alternative SBOM format

Private Registry Support

The rad-sbom plugin can scan images from private registries by configuring image pull secrets: 
sbom:
  imagePullSecrets:
    - name: my-registry-secret
For a full list of override values, see the chart values file.