Skip to content

SBOM

Medium — good to knowSecurity

ELI5 — The Vibe Check

An SBOM is a complete ingredient list for your software — every library, every dependency, every version. Like food nutrition labels but for code. When a new vulnerability drops, you check your SBOM to see if you're affected instead of frantically grepping through repos.

Real Talk

A Software Bill of Materials is a machine-readable inventory of all components in a software product, including direct and transitive dependencies, versions, licenses, and suppliers. Standard formats include SPDX and CycloneDX. Required by US Executive Order 14028 for government software.

Show Me The Code

# Generate SBOM with syft
syft packages dir:. -o cyclonedx-json > sbom.json

# Scan SBOM for vulnerabilities
grype sbom:sbom.json

When You'll Hear This

"When Log4Shell dropped, we checked our SBOM and knew within minutes we weren't affected." / "Government contracts now require an SBOM with every software delivery."

Related Terms

SCA

SCA checks if the libraries you're using have known vulnerabilities. You didn't write the bug, but you imported it. That lodash version from 2019?

intermediateSecurity

SLSA

SLSA (pronounced 'salsa') is a framework with levels (1-4) that measure how secure your software supply chain is. Level 1: you have some build process.

advancedSecurity

Software Composition Analysis

Software Composition Analysis is a fancy name for 'checking your dependencies for known vulnerabilities and license issues.

intermediateSecurity

Supply Chain Security

Supply Chain Security protects the entire path from code to production — dependencies, build systems, registries, everything.

intermediateSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.