Elevator Pitch
Are you aware of your dependencies in container images? How well do you know those dependencies? Do you want to get alerts for zero-day vulnerability compromises? Do you want to scan your docker images for vulnerabilities continuously? Cool! Software Bill of Materials is the right solution.
Description
A Software Bill of Materials (SBOM) publishes data about a software component. The data within allows any supply chain link to locate a specific component in “space” and time to determine where a particular component was created and when. By generating a Software Bill of Materials from container images and filesystems, you get:
- ability to scan your dependencies for vulnerability detection
- faster estimating impact area in your company for zero-day CVEs
- evidence of security impact that violates the security policies
Notes
We (@developer-guy) are mostly working and researching on secure software supply chain models nowadays. We are also active contributors of project sigstore and maintaining “awesomeSBOM` organization. In the final demonstration section, we can also use “anchore”’s projects.
- https://github.com/awesomeSBOM/awesome-sbom
- https://github.com/sigstore
- https://github.com/anchore