DevOps

Introduction Today, I’m not here to talk about SBOM scoring, compliance, NTIA , or anything as usual. Instead, I want to highlight a completely different, but very real SBOM use case. This isn’t a theoritical problem, it straight came out from a Redit thread: https://www.reddit.com/r/sysadmin/comments/1p1xegu/how_to_verify_vulnerability_deltas_between/ Reddit issue (simplified) I compared hardened base images with their official upstream images. Theoretically, CVEs should drop…. but scanner results don’t always match reality. ...

Introduction In our previous post(GitHub Releases are where SBOM’s goto die), we tackled a growing pain in modern software security: SBOMs stuck in GitHub Releases. We showed how sbommv streamlines the manual mess—automating the movement of SBOMs from GitHub or local folders directly into SBOM platforms like Dependency-Track, Interlynk(next blog will show demo on this). We covered: 🔄 Pulling SBOMs straight from GitHub via API or releases 🧳 Uploading pre-existing SBOMs from local folders 🔍 Using dry-run mode to validate before uploading And transferring those fetched SBOMs to dependency-track platform smoothly and seamlessly. That was the start. But it still required you to trigger the command each time, especially when input adapter or input system(source of SBOMs) is folder. ...