SBOM diff / drift detection
Definition
SBOM diff/drift detection refers to the process of identifying changes or deviations in the Software Bill of Materials (SBOM) over time. An SBOM is a detailed inventory of all components, libraries, and dependencies within a software application. Detecting differences or drifts in SBOMs is crucial for maintaining software integrity, ensuring compliance, and identifying potential security vulnerabilities introduced by unauthorized or unexpected changes.
Secure Settings Example
# Example configuration for a CI/CD pipeline to detect SBOM drift
jobs:
sbom-diff:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Generate current SBOM
run: sbom-tool generate --output current-sbom.json
- name: Compare SBOMs
run: sbom-tool diff --baseline baseline-sbom.json --current current-sbom.json
- name: Alert on drift
if: failure()
run: echo "SBOM drift detected. Review changes."
Insecure Settings Example
# Example of a CI/CD pipeline without SBOM drift detection
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build application
run: make build
# Missing SBOM generation and drift detection steps