Anchore, a leader in software supply chain security, today announced that Syft, an open source tool that generates a Software Bill of Materials (SBOM), now has the ability to generate information using the Software Package Data Exchange (SPDX) standard which makes it easy to share data across systems and organizations.
Because Syft is easily integrated into a variety of build systems and development tools, developers can now use Syft to automatically generate SBOMs in the SPDX format as part of their existing build processes. Syft users now have an interoperable format to communicate SBOM information including the software components, dependencies and versions that are embedded in software container images and file systems.
“As both enterprises and the open source community continue to adopt the SPDX standard, it’s beneficial to have Syft support SPDX formats that streamline the exchange of SBOMs within and between organizations,” said Kate Stewart, Vice President of Dependable Systems at the Linux Foundation. “We want to encourage use of reliable and innovative open source tools to help secure the software supply chain and prevent breaches. Producing SBOMs in the SPDX format is an essential element of that.”
SPDX, an internationally recognized ISO standard for SBOMs, is sponsored by the Linux Foundation and is an important element of software supply chain security. The recent United States Cybersecurity Executive Order defines new requirements for an SBOM as part of federal government procurement.
Anchore is an active member of the Linux Foundation and supports its continued adoption of SPDX as a way to easily communicate SBOM information across the software supply chain. In a recent Anchore survey, 60% of respondents indicated that securing the software supply chain is a top or significant area of focus.
“With recent software supply chain attacks infiltrating internal software build processes, organizations can leverage SBOMs during the development process to monitor changes in the SBOM and reduce the risk of successful attacks,” said Daniel Nurmi, Anchore CTO and Co-Founder.
“Syft is a powerful tool that can inspect container images and source code repositories alike, reporting on dependencies and software packages, all the way down to individual file information. This type of deep inspection and insight makes it possible to identify unintentional or malicious content being installed during application builds.”
For more such updates follow us on Google News ITsecuritywire News