Welcome to sbom-vm Discussions!

[popey]

Welcome to sbom-vm Discussions!

👋 Hello SBOM enthusiasts!

Welcome to the official discussions area for sbom-vm, a tool that generates Software Bills of Materials (SBOMs) from virtual machine disk images without booting the VM!

🔍 What is sbom-vm?

sbom-vm bridges a critical gap in the SBOM ecosystem by leveraging common Linux utilities to mount VM disk images in read-only mode and generate SBOMs using Syft. This is particularly useful when dealing with large filesystems where running Syft directly inside the VM might cause resource exhaustion.

💡 How to use this space

We've created this discussions area to:

• Ask questions about installing, configuring, or using sbom-vm
• Share success stories about how you're using the tool in your environment
• Report challenges you've encountered with different VM image formats or filesystems
• Suggest improvements for better filesystem support, performance, or usability
• Connect with others who are working on SBOM generation and VM security

🚀 Get started

• If you're new to sbom-vm, check out the README for installation instructions
• Share your experience with different VM formats (qcow2, vmdk, etc.)
• Let us know if you're using this with Windows, Linux, macOS, or BSD VMs

🔮 What's next for sbom-vm?

The current implementation is a prototype that demonstrates the concept of generating SBOMs from VM disk images without booting them. Our goal is to potentially incorporate these capabilities directly into Syft or Stereoscope.

We'd love to hear your thoughts on:

• Additional filesystem types we should support
• Performance improvements
• Integration with other tools in your security pipeline

🤝 Contributing

Contributions are welcome! Feel free to submit Pull Requests or open issues to discuss major changes. Whether you're a security professional, VM expert, or just interested in SBOMs, we'd love to have you join the community.

Happy scanning! 📊