Amazon ECR

• sbomqs, an open source tool to quality check your SBOMS

  Feb 2, 2023 |  6 minute read

  When putting together a previous post on how to use open source tools to create a software bill of materials (SBOM), Ritesh Noronha alerted me to another project, sbomqs that aims to simplify the evaluation of SBOM quality for both producers and consumers. A quality SBOM is one that is accurate, complete, and up-to-date. It should accurately reflect the components and dependencies used in the software application, including their version and optionally any known vulnerabilities.

  • Amazon ECR
  • sbomqs
  • SPDX
  • SBOM

• Building a software bill of materials (SBOM) using open source tools

  Feb 1, 2023 |  6 minute read

  This is the second post exploring how you can use open source tools to help you build a stronger defence against common software supply chain attacks. In this blog post, I look at syft, an open source CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. We will use examples and build on the previous post, Getting hands on with Sigstore Cosign on AWS.

  • Amazon ECR
  • Cosign
  • Sigstore
  • syft
  • SBOM

• Getting hands on with Sigstore Cosign on AWS

  Jan 31, 2023 |  13 minute read

  Getting hands on with Sigstore Cosign on AWS I am currently putting together some content around how you can use a number of open source tools to help build a stronger defence against common software supply chain attacks. In this blog post, I look at emerging tools from Sigstore, and focus in this post on Cosign, a tool that supports container image signing, verification, and storage in an Open Container Initiative (OCI) registry.

  • Amazon ECR
  • AWS KMS
  • Cosign
  • Sigstore
  • Docker
  • sget