Quickstart

Deploy

Deploy using the docker-compose file from the deployments directory:

curl -LO https://raw.githubusercontent.com/wellmaintained/packages-dhi/main/apps/sbomify/deployments/docker-compose.yml
docker compose up -d

The compliance pack contains all SBOMs, VEX documents, provenance records, vulnerability scans, and the deployment manifest in a single ZIP:

SBOMs — CycloneDX SBOMs for all 6 images (DHI-provided for stock, our-generated for custom)
VEX statements — OpenVEX from DHI + hand-written assessments for custom images
Provenance — SLSA provenance attestations
Vulnerability scans — Grype results for custom images
docker-compose.yml — Deployment manifest

Download the compliance pack from the GitHub Releases page.

Historical releases and compliance bundles are available at GitHub Releases.

Last updated on April 19, 2026 • David Laing