A Software Bill of Materials is a boring data structure that became a legal requirement. Here is what an SBOM actually is at the bit level, the SPDX versus CycloneDX split, the generation and consumption workflow that matters, and what the EU CRA and US procurement rules are actually asking for in 2026.
Sbom
-
SBOMs and the Compliance Wave: From Acronym to Legal Obligation -
Trivy: Container and IaC Vulnerability Scanning A complete guide to Trivy — scanning container images, filesystems, Terraform, Kubernetes clusters, and generating SBOMs with a single tool.
-
Supply Chain Security: SBOMs, Sigstore, Cosign, and SLSA A practical guide to software supply chain security — generating SBOMs with Syft, signing artifacts with Cosign and Sigstore, verifying provenance with SLSA, and integrating these controls into your CI/CD pipeline.