If you cannot use the SKT-provided tool, or you already have your own build pipeline, you can use open source tools directly. Below is a list of the major open source tools validated by SK Telecom, along with links to their official documentation.
If you are not comfortable setting up a tool environment and you have Docker installed, consider reviewing the SKT SBOM Generator first.
Tool Selection Guide
graph TD
A[Identify analysis target] --> B{Is it source code?}
B -- Yes --> C[cdxgen recommended]
B -- No --> D{Is it a Docker image?}
D -- Yes --> E[Syft or Trivy recommended]
D -- No --> F[Binary/Firmware]
F --> G[Syft recommended]Major Tools
cdxgen (recommended for source code analysis)
Automatically analyzes projects in various languages such as Java, Python, Node.js, and Go, and generates an SBOM in CycloneDX format.
- Official documentation: https://cdxgen.github.io/cdxgen
- GitHub: https://github.com/CycloneDX/cdxgen
- Supported languages: Java (Maven/Gradle), Python, Node.js, Go, Ruby, PHP, Rust, .NET, C/C++, etc.
Syft (recommended for container image and binary analysis)
Analyzes Docker images, file systems, and binary files to identify both OS packages and application libraries. Supports CycloneDX and SPDX formats.
- Official documentation: https://github.com/anchore/syft
- Supported targets: Docker images, OCI images, tar files, file system directories
Trivy (container image analysis)
An all-in-one tool that can perform container image analysis and vulnerability scanning together.
- Official documentation: https://aquasecurity.github.io/trivy/
- GitHub: https://github.com/aquasecurity/trivy
Security Warning — Trivy Supply Chain Attack Incident (2026)
In March 2026, a supply chain attack occurred in which an attacker re-pointed existing release tags of
aquasecurity/trivyto inject malware. The GitHub release v0.69.4 (3/19) and the DockerHub images v0.69.5 and v0.69.6 (3/22) have been confirmed as compromised, so please stop using them.To use Trivy safely, follow these principles.
GitHub Actions: Use a pinned commit SHA or a verified version tag instead of mutable tags (
@master,@latest,@v1, etc.).# Recommended: pin to a verified version - uses: aquasecurity/trivy-action@0.35.0 # Safer: pin to a commit SHA - uses: aquasecurity/trivy-action@<commit-sha>Docker images: Specify a particular version tag, or pin to an image digest (
@sha256:...).docker run aquasecurity/trivy:<verified-version> image <target-image>Official channels: Check the latest security advisories through the GitHub Security Advisory.
This incident shows that if you do not pin versions when adopting an open source tool, you can be exposed to a supply chain attack at any time. Always specify the version of every external tool and verify its integrity before use.
Language-Specific Dedicated Plugins
Using a build tool plugin lets you extract more accurate dependency information.
| Language/Build Tool | Plugin/Tool | Official Documentation |
|---|---|---|
| Java (Maven) | cyclonedx-maven-plugin | Link |
| Java (Gradle) | cyclonedx-gradle-plugin | Link |
| Python | cyclonedx-bom | Link |
| Node.js | @cyclonedx/cyclonedx-npm | Link |
| Go | cyclonedx-gomod | Link |
Verifying Transitive Dependency Inclusion
An SBOM submitted to SK Telecom must include transitive dependencies.
Transitive dependencies are libraries that the project does not declare directly, but on which the libraries it uses depend internally. If these are omitted, hidden vulnerabilities cannot be detected and the SBOM may be rejected.
Key principle: Generate the SBOM after the build (package installation) is complete.
When only source code is present, transitive dependencies may be omitted. Refer to the table below and complete the prerequisite steps before generating the SBOM.
Transitive Dependency Support by Tool
| Tool / Method | Transitive Dependencies Included | Prerequisite Before SBOM Generation |
|---|---|---|
| cdxgen (source code) | Included automatically | No separate build required (auto-detected) |
| cdxgen (Java/Maven) | Conditional | Run mvn package or mvn dependency:resolve first |
| cdxgen (Java/Gradle) | Conditional | Run ./gradlew dependencies first |
| cdxgen (Python) | Conditional | Activate the virtual environment, then run pip install -r requirements.txt first |
| cdxgen (Node.js) | Conditional | Run npm install or yarn install first |
| Syft (Docker image) | Included automatically | Scan after the image build is complete (includes both OS and app packages) |
| Syft (file system/RootFS) | Included automatically | Scan based on the deployment artifact |
| Maven plugin | Included automatically | Generated automatically during the mvn package phase |
| Gradle plugin | Included automatically | Run ./gradlew cyclonedxBom |
Recommendation: When delivering as a Docker image, scanning the built image with Syft can include more complete transitive dependencies than source code analysis.
Common Precautions
Verify the following before using a tool.
- Transitive dependency inclusion: Refer to the table above and complete the prerequisite steps before generating the SBOM. Missing dependencies are grounds for rejection.
- PURL inclusion: Verify that the generated SBOM includes a
purlfield for every component. SK Telecom’s system maps vulnerabilities based on PURL. - Output format: CycloneDX JSON format is recommended. (Use
-o cyclonedx-jsonor an equivalent option) - Project information: Verify that the metadata accurately records the name and version of the delivered project.
Related Documents
- Submission Requirements: The required data fields that must be included in the SBOM
- Validation Checklist: Items to verify before submission
- SKT SBOM Generator: SK Telecom’s SBOM generation tool