Exploring VM Disk Image Scanning: sbom-vm Project
Hi everyone!
Following up on our previous discussions about improvements to scanning whole machines, I wanted to share a project I’ve been working on this weekend that explores how we might generate SBOMs from VM disk images without booting them.
What is sbom-vm?
sbom-vm is an experimental project that demonstrates how we can leverage Linux utilities (qemu-nbd, mount, etc.) to safely mount VM disk images in read-only mode, allowing Syft to scan their contents without requiring the VM to be running.
Key Features:
- Read-only mounting of VM disk images via qemu-nbd
- Support for multiple formats (qcow2, vmdk, vhd, raw)
- Automatic detection and mounting of common filesystems (NTFS, ext4, HFS+, APFS, ZFS)
- Safe, non-destructive SBOM generation using Syft
- Test image generation utility for development and testing
Project Goals
This project is primarily an exploration of techniques for building SBOMs from disk images from outside the running VM. The lessons learned could potentially inform improvements to Syft or additions to stereoscope for handling VM disk images natively.
For those who need to scan VM disk images now, this tool might serve as an interim solution until such functionality is potentially integrated into Syft/stereoscope directly.
Try It Out
The project is available on GitHub: sbom-vm
I’d love to hear your thoughts, experiences, and suggestions if you give it a try. What other use cases should we consider? What challenges have you faced when scanning VM disk images?
What’s Next?
This is very much a prototype to explore the space and start the conversation. I’m particularly interested in:
- Understanding different VM disk image scanning needs in the community
- Identifying common challenges and edge cases
- Exploring how this functionality might best fit into the broader Syft ecosystem
Looking forward to your feedback and discussions!