Stay organized with collections
Save and categorize content based on your preferences.
This document describes how to access your software bill of materials (SBOM)
records and related dependency metadata to help you understand the components
of your container images stored in Artifact Registry.
In the repositories list, click a repository name.
The Repository details page opens and displays a list of your images.
In the images list, click an image name.
The page displays a list of your image digests.
In the image digest list, click a digest name.
The page displays a row of tabs where the Overview tab is open, showing
details such as format, location, repository, virtual size, and tags.
In the row of tabs, click the Dependencies tab.
The dependencies tab opens and displays the following information:
SBOM section
Licenses section
A filterable list of dependencies
SBOM
The SBOM summary section displays the following information:
File: A clickable SBOM filename, which opens the location where your
SBOM is saved in Cloud Storage.
Type: The type of SBOM standard used, such as Software Package Data
Exchange (SPDX) or Cyclone.
Version: The version of the SBOM standard used.
Generated by: The origin of the SBOM data, whether generated by
Artifact Analysis or uploaded manually.
Licenses
The Licenses summary section displays a bar graph called Most common
licenses. This represents the types of licenses that appear most often in your
dependency information. When you hold the pointer over a bar in the graph, the
console displays the exact count for instances of that license type.
Dependencies
The list of dependencies displays the contents of your image digest including:
Package name
Package version
Package type
License type
You can filter the list of dependencies by any of these categories.
View SBOMs in Cloud Build
If you're using Cloud Build, you can view image metadata in the
Security insights side panel within the Google Cloud console.
The Security insights side panel provides a high-level overview of build
security information for artifacts stored in Artifact Registry. To learn more
about the side panel and how you can use Cloud Build to help protect your
software supply chain, see
View build security insights.
View SBOMs with the gcloud CLI
Use the
gcloud artifacts sbom list
command to search for SBOMs stored in Cloud Storage. This search
applies to all of your SBOMs in Cloud Storage, including those
generated by Artifact Analysis and any you choose to upload from another
source using a supported format.
You can use filters with the gcloud command to narrow results and
focus on SBOMs most relevant to a specific security concern or compliance
request.
For example, the following command demonstrates how to obtain information about
the SBOM for a Docker image my-image stored in Artifact Registry:
--resource specifies the image resource URI to list SBOM file references
for.
Output includes the following:
The Cloud Storage location for the SBOM. Using the
Cloud Storage location, you can view the SBOM in the
gcloud CLI by running the
gcloud storage cat command.
Whether the SBOM is still in the Cloud Storage bucket or has been
removed.
A hash of the SBOM which you can use to verify that it wasn't modified.
Filters
You can filter for specific SBOMs by using any of the following optional flags:
Flag
Purpose
Input value
--dependency
List all SBOM file references where a resource has the specified
package installed. See supported package types.
The name of an installed package
--resource
List SBOM file references related to a specific image.
The resource URI
--resource-prefix
List SBOM file references related to the resource path prefix.
A resource path, which will be used as a prefix for the search
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-02 UTC."],[[["\u003cp\u003eThis guide explains how to access Software Bill of Materials (SBOM) records and dependency metadata for container images in Artifact Registry.\u003c/p\u003e\n"],["\u003cp\u003eTo view SBOM data, you need specific IAM roles like Container Analysis Occurrences Viewer, Service Usage Consumer, and Artifact Registry Reader, along with Storage Object Viewer to verify SBOMs.\u003c/p\u003e\n"],["\u003cp\u003eSBOM information can be viewed via the Google Cloud console in the Artifact Registry, Cloud Build's Security insights panel, or through the gcloud CLI.\u003c/p\u003e\n"],["\u003cp\u003eThe gcloud CLI's \u003ccode\u003eartifacts sbom list\u003c/code\u003e command allows you to search for SBOMs in Cloud Storage and filter by dependency, resource, or resource prefix.\u003c/p\u003e\n"],["\u003cp\u003eThe displayed SBOM information includes the file location in Cloud Storage, SBOM type, version, origin, dependency details, and most common license types, with limitations to the license information provided.\u003c/p\u003e\n"]]],[],null,["This document describes how to access your software bill of materials (SBOM)\nrecords and related dependency metadata to help you understand the components\nof your container images stored in Artifact Registry.\n\nBefore you begin\n\n- [Sign in](https://accounts.google.com/Login) to your Google Account.\n\n If you don't already have one, [sign up for a new account](https://accounts.google.com/SignUp).\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Container Analysis, Artifact Registry APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=https://containeranalysis.googleapis.com, https://artifactregistry.googleapis.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Container Analysis, Artifact Registry APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=https://containeranalysis.googleapis.com, https://artifactregistry.googleapis.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n1. Have SBOMs stored in Cloud Storage. See instructions on [generating SBOMs](/artifact-analysis/docs/generate-store-sbom).\n\n\u003cbr /\u003e\n\nRequired roles\n\n\nTo get the permissions that\nyou need to view SBOM data and filter results,\n\nask your administrator to grant you the\nfollowing IAM roles on the project:\n\n- [Container Analysis Occurrences Viewer](/iam/docs/roles-permissions/containeranalysis#containeranalysis.occurrences.viewer) (`roles/containeranalysis.occurrences.viewer`)\n- [Service Usage Consumer](/iam/docs/roles-permissions/serviceusage#serviceusage.serviceUsageConsumer) (`roles/serviceusage.serviceUsageConsumer`)\n- [Artifact Registry Reader](/iam/docs/roles-permissions/artifactregistry#artifactregistry.reader) (`roles/artifactregistry.reader`)\n- To verify SBOMS: Storage Object Viewer (`roles/storage.objectViewer`) - a specific Cloud Storage bucket\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nView SBOMs in the Google Cloud console\n\nTo view SBOMs and related dependency metadata for container images stored in\nArtifact Registry:\n\n1. Open the Artifact Registry **Repositories** page.\n\n [Open the Repositories page](https://console.cloud.google.com/artifacts)\n\n The page displays a list of your repositories.\n2. In the repositories list, click a repository name.\n\n The **Repository details** page opens and displays a list of your images.\n3. In the images list, click an image name.\n\n The page displays a list of your image digests.\n4. In the image digest list, click a digest name.\n\n The page displays a row of tabs where the **Overview** tab is open, showing\n details such as format, location, repository, virtual size, and tags.\n5. In the row of tabs, click the **Dependencies** tab.\n\n The dependencies tab opens and displays the following information:\n - SBOM section\n - Licenses section\n - A filterable list of dependencies\n\nSBOM\n\nThe **SBOM** summary section displays the following information:\n\n- **File**: A clickable SBOM filename, which opens the location where your SBOM is saved in Cloud Storage.\n- **Type**: The type of SBOM standard used, such as Software Package Data Exchange (SPDX) or Cyclone.\n- **Version**: The version of the SBOM standard used.\n- **Generated by**: The origin of the SBOM data, whether generated by Artifact Analysis or uploaded manually.\n\nLicenses\n\nThe **Licenses** summary section displays a bar graph called **Most common\nlicenses**. This represents the types of licenses that appear most often in your\ndependency information. When you hold the pointer over a bar in the graph, the\nconsole displays the exact count for instances of that license type.\n\nDependencies\n\nThe list of dependencies displays the contents of your image digest including:\n\n- Package name\n- Package version\n- Package type\n- License type\n\nYou can filter the list of dependencies by any of these categories.\n\nView SBOMs in Cloud Build\n\nIf you're using Cloud Build, you can view image metadata in the\n**Security insights** side panel within the Google Cloud console.\n\nThe **Security insights** side panel provides a high-level overview of build\nsecurity information for artifacts stored in Artifact Registry. To learn more\nabout the side panel and how you can use Cloud Build to help protect your\nsoftware supply chain, see\n[View build security insights](/build/docs/view-build-security-insights).\n\nView SBOMs with the gcloud CLI\n\nUse the\ngcloud [`artifacts sbom list`](/sdk/gcloud/reference/artifacts/sbom/list)\ncommand to search for SBOMs stored in Cloud Storage. This search\napplies to all of your SBOMs in Cloud Storage, including those\ngenerated by Artifact Analysis and any you choose to upload from another\nsource using a supported format.\n\nYou can use filters with the gcloud command to narrow results and\nfocus on SBOMs most relevant to a specific security concern or compliance\nrequest.\n\nFor example, the following command demonstrates how to obtain information about\nthe SBOM for a Docker image `my-image` stored in Artifact Registry: \n\n gcloud artifacts sbom list \\\n --resource=\"us-east1-docker.pkg.dev/my-project/my-repo/my-image:1.0\"\n\nWhere:\n\n- `--resource` specifies the image resource URI to list SBOM file references for.\n\nOutput includes the following:\n\n- The Cloud Storage location for the SBOM. Using the Cloud Storage location, you can view the SBOM in the gcloud CLI by running the [gcloud storage cat](/sdk/gcloud/reference/storage/cat) command.\n- Whether the SBOM is still in the Cloud Storage bucket or has been removed.\n- A hash of the SBOM which you can use to verify that it wasn't modified.\n\nFilters\n\nYou can filter for specific SBOMs by using any of the following optional flags:\n\n| Flag | Purpose | Input value |\n|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|\n| `--dependency` | List all SBOM file references where a resource has the specified package installed. See [supported package types](/artifact-analysis/docs/sbom-overview#supported-pkgs). | The name of an installed package |\n| `--resource` | List SBOM file references related to a specific image. | The resource URI |\n| `--resource-prefix` | List SBOM file references related to the resource path prefix. | A resource path, which will be used as a prefix for the search |\n\nFiltering examples\n\nFilter results by resource URI: \n\n gcloud artifacts sbom list \\\n --resource=\"us-east1-docker.pkg.dev/project/repo/my-image@sha256:88b205d7995332e10e836514fbfd59ecaf8976fc15060cd66e85cdcebe7fb356\"\n\nFilter by resource prefix: \n\n gcloud artifacts sbom list \\\n --resource-prefix=\"us-east1-docker.pkg.dev/project/repo\"\n\nLimitations\n\n- License information is only provided for OS packages and [supported language packages](/artifact-analysis/docs/container-scanning-overview#feature-support).\n\nWhat's next\n\n- [Generate SBOMs](/artifact-analysis/docs/generate-store-sboms).\n- Learn how to use [VEX statements](/artifact-analysis/docs/create-vex)."]]
