The SBOM is supposed to tell you what’s in your software. For containerized applications, a static SBOM tells you what packages are present in the container image. That’s a different question than what packages execute during runtime—and the difference between the two is the difference between an accurate risk inventory and an overestimated one.
Static container SBOMs are not wrong. They’re incomplete. They represent one half of the information needed for accurate vulnerability assessment.
The Measurement Problem in Static Container SBOMs
A standard container image SBOM generation tool—Syft, Trivy in SBOM mode, or similar—scans the container image layers and produces a list of detected packages and their versions. This list is accurate in the sense that those packages are present in the image.
What the list cannot determine: which packages are ever loaded into memory when the application runs. A package installed in the base image that no running application code imports is listed in the SBOM with the same format and completeness as a package that’s called on every request.
For vulnerability assessment, this distinction is critical. A CVE in an unloaded package represents a different risk level than a CVE in a package processing production traffic. Static SBOMs treat them identically.
The measurement gap has a specific scale. For applications built on standard base images, 50-80% of the packages listed in the SBOM may never load at runtime. A static SBOM with 400 entries may accurately represent the content of the image while misrepresenting the actual execution footprint by 3-4x.
A 400-package static SBOM where 300 packages never load is not an inaccurate SBOM. It’s an accurate inventory of an oversized artifact. The SBOM accurately reflects the problem: the image carries too much.
What Accurate Container SBOMs Require?
Runtime execution data to identify what loads
Container image security runtime profiling generates the execution data that static analysis cannot produce: which packages are observed loading during application execution. This is the Runtime Bill of Materials (RBOM)—the subset of the static SBOM that participates in actual runtime behavior.
The RBOM is generated by profiling the application under representative load: running the application against realistic workloads, capturing which libraries and packages are loaded, and producing a component list grounded in observed execution.
The comparison between the static SBOM and the RBOM reveals:
- Packages in both (active runtime components—highest vulnerability priority)
- Packages in SBOM only (present but never loaded—removal candidates or lower priority)
- The accuracy gap: the ratio of SBOM-only to RBOM-present packages quantifies how much the static SBOM overestimates the actual execution surface
How SBOM accuracy affects vulnerability prioritization
Container vulnerability scanner output against an accurate RBOM produces fundamentally different prioritization than against a static SBOM. The CVE list is shorter. The findings are more relevant. The remediation queue contains fewer items that represent no actual runtime risk.
Security teams triaging CVEs from a static SBOM without runtime correlation are triaging a list that’s 3-4x larger than necessary. The time spent on CVEs in non-executing packages is time not spent on CVEs in packages that process production traffic.
Practical Steps for Improving Container SBOM Accuracy
Generate both SBOM and RBOM for every container image version. The SBOM provides the compliance artifact and complete component inventory. The RBOM provides the runtime-verified execution profile. Both are necessary; neither alone is sufficient for accurate vulnerability assessment.
Report the SBOM-to-RBOM ratio as a container quality metric. A container with 400 packages in its SBOM and 40 in its RBOM has a 10:1 ratio—90% of its package footprint is unused at runtime. This ratio is a quantified measure of bloat and a target for hardening. Track it per container and set improvement targets.
Use the SBOM-RBOM gap as the input to hardening. Packages in the SBOM that don’t appear in the RBOM are removal candidates. Running a hardening process that removes these packages converts the static SBOM’s overestimate into an accurate picture: after hardening, the static SBOM and RBOM should approximately converge because the image only contains what executes.
Update profiling when application code changes significantly. The RBOM accuracy depends on profiling coverage. A profiling run that exercises 60% of code paths produces an RBOM that misses 40% of runtime behavior. When the application adds significant new functionality, re-profile to capture the expanded runtime footprint.
Document the profiling methodology alongside the RBOM. An RBOM without documentation of how it was generated is not verifiable. Document what workloads were exercised, what coverage was achieved, and how the profiling run was validated. This documentation supports the RBOM’s use in compliance evidence and vendor assessments.
Frequently Asked Questions
What is the primary purpose of an SBOM for containers?
The primary purpose of an SBOM for containers is to provide a complete, verifiable inventory of all software components in a container image—including OS-level packages, language runtimes, and all direct and transitive dependencies. This inventory enables vulnerability assessment, license compliance auditing, and supply chain risk management. For containers specifically, an accurate SBOM must cover all image layers, not just the application layer.
Why are SBOMs important for open source licensing and third-party software risk?
SBOMs make the full dependency graph—including transitive dependencies that developers didn’t explicitly choose—visible and auditable. Without an SBOM, CVEs in indirectly-included packages may go undetected, and license obligations from transitive dependencies (such as copyleft licenses) may be violated unknowingly. The SBOM converts the hidden dependency graph into a formal record that can be monitored for both security and legal risk.
Why is static analysis alone not enough for accurate container SBOMs?
Static container SBOMs accurately list packages that are present in an image but cannot determine which packages actually load at runtime. For typical applications built on standard base images, 50-80% of listed packages may never execute. This means static SBOMs can overestimate the actual runtime vulnerability surface by 3-4x, causing security teams to triage CVEs in packages that pose no real risk while potentially deprioritizing findings in packages that do execute.
What is a Runtime Bill of Materials (RBOM) and how does it differ from a static SBOM?
An RBOM (Runtime Bill of Materials) is generated by profiling the application under representative load to capture which packages and libraries are actually loaded during execution. Unlike a static SBOM—which lists everything present in the image regardless of whether it runs—an RBOM reflects the actual execution footprint. The gap between the static SBOM and the RBOM identifies removal candidates: packages that are present but never loaded and can be hardened out of the image.
The Accuracy Argument for Compliance
Compliance frameworks that require SBOMs don’t specify whether those SBOMs should be static or runtime-verified. But the intent behind the requirement—visibility into what software components are in use—is better served by runtime-accurate inventories than by static package lists.
An auditor assessing SBOM compliance for a containerized application may accept a static SBOM as satisfying the requirement. An auditor assessing supply chain risk management may find that a static SBOM with 400 packages that includes 300 never-executed ones is a less useful risk management tool than an RBOM with 100 packages that accurately reflects the execution surface.
The compliance checkbox and the security value are separate considerations. Static SBOMs can satisfy the compliance checkbox. Runtime-informed SBOMs provide the security value that the compliance checkbox was designed to encourage.
Build toward the security value, not just the checkbox.