New SPDX support advances continued open source collaboration for best practices in software supply chain security
Santa Barbara, Calif - October 11, 2021 - Anchore, a leader in software supply chain security, today announced that Syft, an open source tool that generates a Software Bill of Materials (SBOM), now has the ability to generate information using the Software Package Data Exchange (SPDX) standard which makes it easy to share data across systems and organizations.
Because Syft is easily integrated into a variety of build systems and development tools, developers can now use Syft to automatically generate SBOMs in the SPDX format as part of their existing build processes. Syft users now have an interoperable format to communicate SBOM information including the software components, dependencies and versions that are embedded in software container images and file systems.
“As both enterprises and the open source community continue to adopt the SPDX standard, it’s beneficial to have Syft support SPDX formats that streamline the exchange of SBOMs within and between organizations,” said Kate Stewart, Vice President of Dependable Systems at the Linux Foundation. “We want to encourage use of reliable and innovative open source tools to help secure the software supply chain and prevent breaches. Producing SBOMs in the SPDX format is an essential element of that.”
SPDX, an internationally recognized ISO standard for SBOMs, is sponsored by the Linux Foundation and is an important element of software supply chain security. The recent United States Cybersecurity Executive Order defines new requirements for an SBOM as part of federal government procurement. Anchore is an active member of the Linux Foundation and supports its continued adoption of SPDX as a way to easily communicate SBOM information across the software supply chain. In a recent Anchore survey, 60% of respondents indicated that securing the software supply chain is a top or significant area of focus.
“With recent software supply chain attacks infiltrating internal software build processes, organizations can leverage SBOMs during the development process to monitor changes in the SBOM and reduce the risk of successful attacks,” said Daniel Nurmi, Anchore CTO and Co-Founder. "Syft is a powerful tool that can inspect container images and source code repositories alike, reporting on dependencies and software packages, all the way down to individual file information. This type of deep inspection and insight makes it possible to identify unintentional or malicious content being installed during application builds."
For more information about SPDX go to www.spdx.dev. For more information about the Syft open source SBOM generator tool go to www.Anchore.com/opensource.
About Anchore
Anchore is a leader in software supply chain security and enables organizations to protect cloud-native applications against software supply chain attacks. Anchore technology embeds continuous security and compliance checks at every stage of the software development process to prevent security risks from reaching production. Large enterprises and government agencies use Anchore solutions to generate a comprehensive software bill of materials, pinpoint vulnerabilities, identify malware and discover unprotected credentials that can lead to hacks and ransomware. With an API-centric approach, Anchore solutions integrate into the tools developers already use to detect issues earlier, saving time and lowering the cost to fix vulnerabilities. To learn more visit www.anchore.com.