Learn how to add a Software Bill of Materials (SBOM) to your containers with GitHub Actions in a few easy steps. An SBOM is an inventory of the components that make up a software application. It is a list of the components that make up a software application including the version of each component. The version is important because it can be cross-reference with a vulnerability database to determine if the component has any known vulnerabilities. By Alex Ellis.
In this article you will learn:
- What is a Software Bill of Materials (SBOM)?
- Check out an SBOM for yourself
- Checking for vulnerabilities
- Generate an SBOM from within GitHub Actions
In this article author looked at Anchore’s two open source tools: Syft and Grype, and how they can be used to generate an SBOM and scan for vulnerabilities. With the SBOM approach, the responsibility is rebalanced, with the supplier taking on an active role in security. The consumer can then use the supplier’s SBOMs, or run their own scanning infrastructure - or perhaps both. Nice one!
[Read More]