Skip to content


A Software Bill of Materials (SBOM) is a list of software components that a software artifact depends on. Having a list of dependencies can be helpful in determining whether any vulnerable components were used to build the software artifact.

From v0.9+, ko generates and uploads an SBOM for every image it produces by default.

ko will generate an SBOM in the SPDX format by default, but you can select the CycloneDX format instead with the --sbom=cyclonedx flag. To disable SBOM generation, pass --sbom=none.

These SBOMs can be downloaded using the cosign download sbom command.