Skip to content

Software Bill of Materials (SBOM)

SBOM

We provide full transparency into our software supply chain through the use of Software Bills of Materials (SBOMs). This document outlines what an SBOM is and how we use them to enhance the security and integrity of the Contain Platform.

What is an SBOM?

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all software components, libraries, and dependencies that make up an application or system. Think of it as a detailed ingredients list for software.

The primary purpose of an SBOM is to provide transparency into the software supply chain. By knowing exactly what is inside a software package, you can:

  • Identify and track known vulnerabilities (CVEs) in specific components.
  • Manage and verify open-source license compliance.
  • Respond more quickly to newly discovered security threats.
  • Proactively assess risk associated with third-party components.

SBOMs are a foundational element of modern cybersecurity and supply chain risk management practices.

How We Use SBOMs

We have integrated SBOM generation directly into our build and release pipelines to ensure a complete and accurate inventory of all software that constitutes the Contain Platform.

  • Comprehensive Coverage: We generate SBOMs for all of the components that are part of the Contain Platform when we build them. This includes our container images and Helm charts, ensuring visibility into every layer of the software stack.

  • Standardized Format: Our SBOMs are generated in the CycloneDX format, an industry-standard, lightweight format designed for communicating SBOM information. This ensures interoperability with a wide range of security and analysis tools.

  • Rich Metadata: Each SBOM includes detailed metadata for every component, such as its name, the supplier, version information, and license details. This data is crucial for automated vulnerability scanning, dependency tracking, and ensuring license compliance across the platform.

By providing detailed SBOMs, we offer you verifiable assurance of the platform's contents, enabling a more robust and transparent security posture.