https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/tags/sbom/Recent content in SBOM onHugo -- gohugo.ioen-USFri, 17 Nov 2023 11:07:52 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/what-is-an-sbom/Thu, 04 Aug 2022 15:21:01 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/what-is-an-sbom/Modern software applications contain hundreds to thousands of open source and third-party components, creating significant security challenges that SBOMs help address - which is why Chainguard includes comprehensive SBOMs with every container image. Without structured visibility into these components, organizations struggle to identify and respond to vulnerabilities, even when patches are available. This lack of transparency leaves systems vulnerable to exploitation, making SBOMs essential for maintaining secure software supply chains.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign/Wed, 13 Jul 2022 15:22:20 +0100https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign/An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course. Cosign, developed as part of the Sigstore project, is a command line utility for signing, verifying, storing, and retrieving software artifacts through interface with an OCI (Open Container Initiative) registry. Cosign can be used to sign attestations, or a verifiable assertion or statement about a software artifact. What is an Attestation? An attestation is a cryptographically verifiable statement about a software artifact.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-rego-policies/Thu, 12 Jan 2023 15:56:52 -0700https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-rego-policies/The Sigstore Policy Controller supports the Rego Policy Language, which is a declarative policy language that is used to evaluate structured input data such as Kubernetes manifests and JSON documents. This feature enables users to apply policies that can evaluate Kubernetes admission requests and object metadata to make comprehensive decisions about the workloads that are admitted to their clusters. Rego support also enables users to enhance existing cloud-native policies by adding additional software supply chain security checks.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/getting-started-openvex-vexctl/Mon, 30 Jan 2023 15:21:01 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/getting-started-openvex-vexctl/The vexctl CLI is a tool to make VEX work. As part of the open source OpenVex project, vexctl enables you to create, apply, and attest VEX (Vulnerability Exploitability eXchange) data in order to filter out false positive security alerts. The vexctl tool was built to help with the creation and management of VEX documents, communicate transparently to users as time progresses, and enable the “turning off” of security scanner alerts of vulnerabilities known not to affect a given product.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/what-makes-a-good-sbom/Thu, 04 Aug 2022 15:21:01 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/what-makes-a-good-sbom/A software bill of materials, or an SBOM (pronounced s-bomb), is a formal record of the components contained in a piece of software. It is analogous to an ingredients list for a recipe. And it has become recognized as one of the key building blocks of software supply chain security. Proponents rightfully point out that organizations can’t secure their software if they don’t know what’s inside their software. As awareness and adoption of SBOM has grown, there has been a gradual acknowledgement that not all SBOMs are created equal, some are more or less useful, depending on the goals of the SBOM user and the contents of the SBOM.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/what-is-openvex/Tue, 31 Jan 2023 15:21:01 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/what-is-openvex/OpenVEX is an open source specification, library, and suite of tools designed to enable software users to eliminate vulnerability noise and focus their security efforts on vulnerabilities that pose an immediate risk. Released by Chainguard in January 2023, it’s the first set of open source tools to support the VEX specification championed by the United States National Telecommunications and Information Administration (NTIA) and the Cybersecurity and Infrastructure Security Agency (CISA).https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/sboms-and-attestations/Sun, 19 Mar 2023 15:56:52 -0700https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/sboms-and-attestations/One of the first steps to improving your software supply chain security is to establish a process for creating quality Software Bills of Materials (SBOMs). An SBOM is a formal record that contains the details and supply chain relationships (such as dependencies) of the components used in building software. Cosign — a part of the Sigstore project — supports software artifact signing, verification, and storage in an OCI (Open Container Initiative) registry.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-policy-examples/Fri, 15 Jul 2022 15:22:20 +0100https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-policy-examples/The Sigstore Policy Controller allows users to create their own security policies that they can be enforced on Kubernetes clusters. Here are a few example policies to help you get started. You may also review the Sigstore Policy Controller documentation. In particular, we encourage you to review the Policy Controller documentation relating to the Admission of images to learn how to admit images through the cluster image policy. Policy enforcing signed containers apiVersion: policy.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/how-to-use/retrieve-image-sboms/Fri, 17 Nov 2023 11:07:52 +0200https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/how-to-use/retrieve-image-sboms/Chainguard provides a Software Bill of Materials (SBOM) with every container image, enabling complete transparency about package contents and dependencies for security and compliance requirements. These SBOMs are cryptographically signed and attached as attestations, making them retrievable and verifiable. By including only the minimum packages needed, Chainguard Containers reduce attack surface while the SBOM ensures you can verify exactly what’s in each image. Even though they contain the minimum number of packages, there may come a time when you want to know exactly what’s running inside of a certain Chainguard Container.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/Thu, 26 Jan 2023 08:49:15 +0000https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sbom/A software bill of materials, or an SBOM (pronounced s-bomb), is a key resource for enabling visibility into the different software components of a codebase.