A software bill of materials (SBOM) is a manifest that lists all the dependencies and third-party components included in your application’s codebase. It gives you visibility into your software supply chain, allowing you to verify that your application only uses secure and updated dependencies.
https://github.com/golang-standards/project-layout
In physical manufacturing industries, a product’s bill of materials (BOM) states the components required to produce it. For example, building a new desktop computer requires a processor, some memory modules, and a case; in turn, those components will need metal, plastic, and other materials.
A SBOM fulfills a similar role for software products. It lists the dependencies in your stack to give you a complete overview of your supply chain. The details included in a SBOM can vary, but frequently include:
This information can be used to inform vital internal security efforts—such as identifying compromised packages and removing them from your stack—but it’s also suitable for distribution to customers, partners, and compliance auditors who need to understand how your software is built.
[1] https://earthly.dev/blog/docker-sbom/
SBOMs are a comprehensive record of every software component in an application—along with critical metadata such as supplier, licensing, and security details. SBOMs serve as the foundational data structure for security, OSS licensing compliance, risk management use cases—and many more across a DevSecOps organization.
syft alpine:latest -o cyclonedx-json
-file path/to/file-exclude path/**/*.txt