# From code to production It starts with the code... -- Which gets deployed inside/on: - An appliance - A host - A container Or is reused as an module. --- ## And do you remember: - ShellShock - Log4J / Log4Shell - Heartbleed These also affected routers, printers and other devices at home. --- class: pic ## Like food labels SBOMs tell you what's inside .center[![sbom](images/sbom/can-1.jpg)] --- ## Example SBOM snippet ```json { "id": "e1597ba21775e886", "name": "certifi", "version": "2022.12.7", "type": "python", "foundBy": "python-package-cataloger", "locations": [ { "path": "/usr/local/lib/python3.11/site-packages/certifi-2022.12.7.dist-info/METADATA", "layerID": "sha256:2ecbe4cb3d052a933e1cab8d573b14cfb4c50df323e4efde9cece026ce0fc73e", "annotations": { "evidence": "primary" ... "licenses": [ { "value": "MPL-2.0", "spdxExpression": "MPL-2.0", "type": "declared", ``` --- class: pic ## More and more you can download them upfront .center[![sbom](images/sbom/github-sbom-example.png)] --- class: pic ## And analyze them before you install something .center[![sbom](images/sbom/sbom-scan-result.png)]