The problem: obtaining a comprehensive and accurate SBOM (software bill of materials) from a Kubernetes application can be a daunting task and traditional SBOM tools are inadequate. These first-generation SBOM tools provide a static list of all the open source dependencies and/or packages installed in a container image, but they do not include which components are actually used by the app at runtime and they do not automatically and continuously generate the list with each release as part of the CI/CD pipeline.
The solution: unlike the traditional “static SBOM”, the modern “runtime SBOM” will answer questions like:
- Which of the dependencies were actually used by the app?
- Which of the used dependencies have CVEs?
- What ports/URIs/geographies is the app accessing?
In order to get all this information and achieve true software transparency, Developers need to look at the “complete bill of materials,” which includes the static list of dependencies as well as runtime visibility into the app and its 3rd parties.
You will learn how to:
- Observe billions of live telemetry events that happen in every thread/process/container of a running app
- Use a Kubernetes webhook admission controller to obtain an SBOM of all software dependencies, including open source and 3rd party, and OS packages used by the app, along with licensing information and runtime metrics such as processes, ports, files, and network connections
- Generate an SBOM automatically and continuously with every build as part of the CI/CD process
- Vikas Wadhvani, Product Manager @Deepfactor
- John Day, Customer Success Engineer @Deepfactor