Skip to content

Commit 4205281

Browse files
update SBOM strategy
1 parent 784c50e commit 4205281

1 file changed

Lines changed: 42 additions & 6 deletions

File tree

docs/roadmap/SBOM_STRATEGY.md

Lines changed: 42 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -605,18 +605,39 @@ rules:
605605

606606
**Features:**
607607

608+
#### Phase 4A: Open Source Scanner Integration
609+
- **Grype** (Anchore) - Fast, offline vulnerability scanning
610+
- **Trivy** (Aqua Security) - Kubernetes-native, container scanning
611+
- Local scanning workflows
612+
- No licensing costs
613+
614+
#### Phase 4B: Commercial Scanner Integration
615+
- **Snyk** - Developer-focused, fix guidance, IDE/CLI/CI integration
616+
- **Veracode** - Enterprise compliance, governance, regulated industries
617+
- API-based SBOM upload
618+
- Enhanced vulnerability context
619+
620+
#### Phase 5: Automation & Compliance
608621
- SBOM diffing and drift detection
609-
- Vulnerability scanner integration (Grype, Trivy)
610-
- Hooks for automatic generation
611-
- Compliance reporting (SOC 2, ISO 27001)
622+
- Hooks for automatic generation (pre-commit, CI/CD)
623+
- Compliance reporting (SOC 2, ISO 27001, SLSA, SSDF)
624+
- Policy enforcement in pipelines
625+
626+
#### Phase 6: Analytics & Operations
612627
- Batch operations for multiple projects
613628
- Historical analysis and dashboards
629+
- Trend analysis for dependency health
630+
- Vulnerability exposure tracking
631+
632+
**Scanner Integration Value Prop:**
633+
> "goenv feeds Go-aware SBOMs to any scanner—open source or commercial—ensuring 40% better vulnerability coverage through stdlib detection and build context."
614634

615635
**Note:** These features build on the foundation but depend on:
616636

617637
- Community adoption of early phases
618638
- Security team feedback and validation
619639
- Partnership opportunities with scanner vendors
640+
- Snyk/Veracode API access and validation
620641

621642
---
622643

@@ -695,10 +716,25 @@ As more organizations adopt:
695716

696717
### Phase 4-6 (Integration Features)
697718

698-
- **Scanner integration:** 20%+ use vuln scanning
699-
- **Compliance:** 5+ frameworks supported (SOC 2, ISO, SLSA, SSDF)
700-
- **Ecosystem:** 100+ organizations share policies/examples
719+
#### Phase 4A (Open Source Scanners)
720+
- **Grype integration:** 15%+ users scan with Grype
721+
- **Trivy integration:** 15%+ users scan with Trivy
722+
- **Implementation:** Upload endpoints, result parsing, CI examples
723+
724+
#### Phase 4B (Commercial Scanners)
725+
- **Snyk integration:** 10%+ users with Snyk licenses
726+
- **Veracode integration:** 5+ enterprise customers
727+
- **API validation:** Successful SBOM uploads to both platforms
728+
729+
#### Phase 5 (Automation & Compliance)
730+
- **Compliance reporting:** 5+ frameworks supported (SOC 2, ISO 27001, SLSA, SSDF)
731+
- **CI/CD hooks:** 3+ platforms with automation examples
732+
- **SBOM diffing:** Drift detection across releases
733+
734+
#### Phase 6 (Analytics)
735+
- **Ecosystem growth:** 100+ organizations share policies/examples
701736
- **Recognition:** Featured in CNCF/OSSF security resources
737+
- **Dashboards:** Historical vulnerability tracking
702738

703739
---
704740

0 commit comments

Comments
 (0)