|
|
|
|
|
|
by lucideer
1144 days ago
|
|
|
My company is using them in an internal artifact scanning tool that runs as part of CICD build pipelines. It's technically opt-in for dev teams but most have done so, and in my experience most engineers - while they may know "there's some scanning job running at build" - don't necessarily know that it's parsing SBOMs as part of its internal logic. In other words: I suspect many engineers who are leveraging SBOMs may not know they are. (To be clear, the SBOMs come from other tools - not directly from the teams - the main reason our internal tool ingests them is that it's much much less work than getting the same metadata from multiple language environments in different formats. We lean on other tooling that gets it for its own purposes & happens to also generate SBOMs, then we just have a single piece of logic to parse that & use it ourselves. We do also lean on Grype/Syft to augment that). |
|
|