SBOM/attestation sync to offline stores

Definition

SBOM (Software Bill of Materials) and attestation sync to offline stores refers to the process of ensuring that the detailed inventory of components (SBOM) and the associated attestations (evidence of compliance or security posture) are synchronized with systems that are not connected to the internet. This is crucial for environments that require high security and isolation, such as air-gapped networks, to maintain an accurate and up-to-date record of software components and their security status.

Secure Settings Example

# Example configuration for syncing SBOM to an offline store
sync:
  enabled: true
  source: /path/to/sbom
  destination: /offline/store/location
  schedule: "0 0 * * *"  # Daily sync at midnight
  verification:
    enabled: true
    method: checksum
    log: /var/log/sbom_sync.log

Insecure Settings Example

# Example of insecure SBOM sync configuration
sync:
  enabled: true
  source: /path/to/sbom
  destination: /offline/store/location
  schedule: "0 0 * * *"
  verification:
    enabled: false  # Verification disabled, allowing potential tampering
    log: /var/log/sbom_sync.log