> ## Documentation Index
> Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SBOMs

> A guide on using Software Bill of Materials for Talos Linux.

export const release_v1_13 = 'v1.13.0';

export const VersionWarningBanner = () => {
  const latestVersion = "v1.13";
  const [latestUrl, setLatestUrl] = useState(null);
  const [currentVersion, setCurrentVersion] = useState(null);
  const [isBeta, setIsBeta] = useState(false);
  const parseVersion = v => v.replace("v", "").split(".").map(Number);
  const isGreaterVersion = (a, b) => {
    const [aMajor, aMinor] = parseVersion(a);
    const [bMajor, bMinor] = parseVersion(b);
    if (aMajor > bMajor) return true;
    if (aMajor === bMajor && aMinor > bMinor) return true;
    return false;
  };
  useEffect(() => {
    if (typeof window === "undefined") return;
    const {pathname, hash, search} = window.location;
    const match = pathname.match(/\/talos\/(v\d+\.\d+)\//);
    if (!match) return;
    const detectedVersion = match[1];
    if (detectedVersion === latestVersion) return;
    setCurrentVersion(detectedVersion);
    if (isGreaterVersion(detectedVersion, latestVersion)) {
      setIsBeta(true);
    }
    const newPath = pathname.replace(`/talos/${detectedVersion}/`, `/talos/${latestVersion}/`);
    setLatestUrl(`${newPath}${search}${hash}`);
  }, []);
  if (!latestUrl || !currentVersion) return null;
  return <div className="not-prose sticky top-6 z-50 my-6">
      <div className="border border-yellow-500/30 bg-yellow-500/10 px-4 py-3 rounded-xl">
        <div className="text-sm">
          {isBeta ? <>
              ⚠️ You are viewing a <strong>beta version</strong> of Talos ({currentVersion}).
              This version may be unstable.
              <a href={latestUrl} className="ml-2 underline text-yellow-400 hover:text-yellow-300 font-medium">
                View latest stable version {latestVersion} →
              </a>
            </> : <>
              ⚠️ You are viewing an older version of Talos ({currentVersion}).
              <a href={latestUrl} className="ml-2 underline text-yellow-400 hover:text-yellow-300 font-medium">
                View the latest version {latestVersion} →
              </a>
            </>}
        </div>
      </div>
    </div>;
};

<VersionWarningBanner />

Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building a software product.
SBOMs are used to provide transparency and traceability of software components, which is essential for security, compliance, and efficient management of software supply chains.

Talos Linux provides SBOMs for core operating system components, including the Linux kernel, built-in components like `containerd`, and other software packages used to build Talos Linux.
When a system extension is installed, it can also provide its own SBOM, which will be included in the overall SBOM for the Talos Linux system.

## Acquiring SBOMs

SBOMs for Talos Linux are provided in SPDX format, which is a standard format for representing SBOMs.
You can acquire SBOMs for Talos Linux in the following ways:

* Download the SBOM for a specific Talos Linux release from the <a href={`https://github.com/siderolabs/talos/releases/tag/${release_v1_13}`}> GitHub release</a> page:
  * `talos-amd64.spdx.json` for the amd64 architecture.
  * `talos-arm64.spdx.json` for the arm64 architecture.
* Acquire the SBOM from a running Talos Linux system using the `talosctl` command:
  * core Talos Linux SBOM in the `/usr/share/spdx` directory.
  * extension SBOMs in the `/usr/local/share/spdx` directory.

## SBOMs as resources

Talos Linux SBOMs are also available as resources in the Talos Linux system.
You can access the SBOMs using the `talosctl` command:

<CodeBlock lang="sh">
  {`
    talosctl get sboms
    NODE         NAMESPACE   TYPE       ID              VERSION   VERSION                LICENSE
    172.20.0.2   runtime     SBOMItem   Talos           1         ${release_v1_13}
    172.20.0.2   runtime     SBOMItem   apparmor        1         v3.1.7                 GPL-2.0-or-later
    172.20.0.2   runtime     SBOMItem   cel.dev/expr    1         v0.24.0
    ...
    `}
</CodeBlock>

You can also get the SBOM for a specific component using the `talosctl get sbom` command:

```yaml theme={null}
# talosctl get sbom kernel -o yaml
node: 172.20.0.2
metadata:
    namespace: runtime
    type: SBOMItems.talos.dev
    id: kernel
    version: 1
    owner: runtime.SBOMItemController
    phase: running
    created: 2025-07-24T14:20:29Z
    updated: 2025-07-24T14:20:29Z
spec:
    name: kernel
    version: 6.12.38
    license: GPL-2.0-only
    cpes:
        - cpe:2.3:o:linux:linux_kernel:6.12.38:*:*:*:*:*:*:*
```

## Scanning SBOMs

You can scan SBOMs for known vulnerabilities using tools like [Grype](https://github.com/anchore/grype).
You will need two source files for scanning:

* The SBOM file in SPDX format.
* The vulnerability exclusion database (VEX).

VEX database is used to filter out vulnerabilities that are not applicable to the specific software version or configuration,
which helps to reduce false positives in vulnerability scanning.

<Note> The VEX database is available to Enterprise customers of Talos Linux. Contact [Sidero support](https://www.siderolabs.com/contact/) for access. </Note>

The basic command to scan the SBOM is as follows:

```bash theme={null}
grype sbom:talos-amd64.spdx.json
```

With VEX database, the command becomes:

```bash theme={null}
grype sbom:talos-amd64.spdx.json --vex vex.json
```