SBOMs are a great first step, and I’m a big fan. It finally feels like the industry is doing what we should’ve done from the beginning—create proper inventories.
However, let’s be honest—our software supply chain is far more complex than just package dependencies.
Consider this real (and yes, slightly over-the-top) scenario:
A developer uses a Chrome extension to manipulate AI prompts, which are then consumed by VS Code extensions to generate code. That code lives on GitHub, where GitHub Actions run automation. The project is packaged into a Docker image, deployed via Kubernetes onto an EC2 instance, built from a specific AMI.
Now ask yourself: Which of these components are actually being tracked or inventoried by your current xBOM tooling?
We need to rethink what we include in the software supply chain:
- Browser extensions
- IDE plugins
- CI/CD scripts
- Cloud/Container images
- and what else
All of these carry risk—and influence the final product.
Are we building visibility across the entire stack of influence?
I’d love to hear how others are approaching this. Drop your thoughts, or let’s connect and talk supply chain.
#SBOM #inventory #visibility #fullstack #softwaresupplychain