SBoMs can be used for vulnerability scanning
All components of an artifact are listed with version numbers
Matching against CVE databases provides unfixed vulnerabilities
Scan can be repeated at any time
sbom-operator
listens for events on pods , generates an SBoM for an image…
…and stores it in a git repository
vulnerability-operator
enumerates the SBoMs in the repository …
…scans them for vulnerabilities and publishes metrics
Prometheus and Grafana can scrape and visualize them
See SBoMs in git
See metrics in Grafana