Cloudsmith’s Enterprise Policy Manager (EPM) now leverages Software Bill of Materials (SBOM) data to enable powerful, component-level policies for Docker and OCI container images.

This upgrade extends EPM policy enforcement beyond basic package metadata to the internal components of an image, giving you more control over the composition of containers used within your organization.

With SBOM data, you can now apply EPM policies based on:

• Image components: Target specific components by name or other attributes.
• Component licenses: Enforce license compliance by applying rules based on the licenses of any component within the container.

How it works

• Cloudsmith generates CycloneDX SBOMs for every Docker image or container image uploaded to Cloudsmith.
• The SBOM data is made available within the EPM schema (input.v0.sbom field) in the native CycloneDX Bill of Materials JSON format.
• You can use any of the available fields in the JSON file to create your own policies. In addition to exploring the schema, you can also view the SBOM data in the Cloudsmith web app.
• All standard EPM actions (including block, quarantine and tag) are available when creating policies based on SBOM data.

Example policy

Here is a simple policy to enforce a strict set of allowed licenses:

package cloudsmith
import rego.v1
default match := false

# Match components with specific licenses we see in your SBOM
allowed_licenses := {"MIT", "ISC", "Apache-2.0"}
match if {
    input.v0.sbom != null
    component := input.v0.sbom.components[_]
    component.licenses[_].license.id in allowed_licenses
}

This capability is in Early Access, available to Ultra and Enterprise customers via Enterprise Policy Manager. Learn more in the Enterprise Policy Manager docs, and contact us to request early access.