#Docker now includes some tech that can build a complete software bill of materials (#sbom) including every version of every package installed onto an image. It does this by recording every package you install, along with all of their dependencies, and so on.

You can then use tools to inspect those images for known vulnerabilities.

Here’s the SBOM for the koehn/diaspora image (it’s as small as I could make it, as I remove lots of packages required for building Diaspora but not for running it, e.g., gcc).