Published : Mar 29, 2022
NOT ON THE CURRENT EDITION
This blip is not on the current edition of the Radar. If it was on one of the last few editions, it is likely that it is still relevant. If the blip is older, it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the Radar. Understand more
Trial Worth pursuing. It is important to understand how to build up this capability. Enterprises should try this technology on a project that can handle the risk.
One of the key elements of improving "supply chain security" is using a Software Bill of Materials (SBOM), which is why publishing an SBOM along with the software artifact is increasingly important. Syft is a CLI tool and Go library for generating an SBOM from container images and file systems. It can generate the SBOM output in multiple formats, including JSON, CycloneDX and SPDX. The SBOM output of Syft can be used by Grype for vulnerability scanning. One way to publish the generated SBOM along with the image is to add it as an attestation using Cosign. This allows consumers of the image to verify the SBOM and to use it for further analysis.