SBOM Drift Detection
Definition
SBOM Drift Detection refers to the process of monitoring and identifying changes between the current state of a software system and its Software Bill of Materials (SBOM). An SBOM is a detailed inventory of all components, libraries, and dependencies within a software application. Drift detection ensures that any unauthorized or unexpected changes to these components are promptly identified, helping to maintain software integrity and security by preventing the introduction of vulnerabilities or unapproved components.
Secure Settings Example
# Example configuration for SBOM drift detection using a CI/CD pipeline
jobs:
detect-drift:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Generate current SBOM
run: sbom-tool generate --output current-sbom.json
- name: Compare SBOMs
run: sbom-tool compare --baseline baseline-sbom.json --current current-sbom.json
continue-on-error: false
Insecure Settings Example
# Example of a pipeline without SBOM drift detection
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build application
run: make build
# No steps to generate or compare SBOMs, leading to potential drift