Managing Software Bill of Materials (SBOMs) has shifted from a security recommendation to a legal requirement. However, for large-scale projects, the primary challenge is ensuring these records are accurate and verifiable without adding friction to the build process.
In this talk, we share how we built an automated SBOM lifecycle into Konflux, a Kubernetes-native software factory system. We will provide a technical look at Mobster, the tool we use to automatically generate, enrich, and store SBOMs for every production build. We will demonstrate how this integration ensures that every container image is accompanied by a transparent record of its dependencies.
Beyond the build, we explore how this data becomes a strategic asset for Product Security. By integrating with the Trusted Profile Analyzer, we move from per-build compliance to portfolio-wide visibility. We will discuss the theoretical framework for using this data to map vulnerabilities across thousands of components, allowing security teams to pinpoint exactly where a high-risk dependency exists and orchestrate rapid, large-scale remediation.
What we will cover:
- The SBOM Requirement: A brief look at the necessity of supply chain transparency and why manual manifests fail at scale.
- Architectural Deep Dive: How we integrated Mobster into the Konflux pipeline to capture metadata and dependencies during the build.
- Standardization and Interoperability: How using industry standards (SPDX/CycloneDX) ensures data portability across security platforms.
- Empowering Product Security: * Portfolio-Wide Visibility: How centralized SBOM data allows security teams to query an entire software catalog for specific vulnerable packages.
- Accelerated Remediation: The theory of using "where-used" data to reduce the time between vulnerability discovery and patches across multiple products.