Skip to main content
Syft generates a Software Bill of Materials for every unique container image in your cluster.

Why SBOMs Matter

  • EO 14028 requires SBOMs for software sold to the US government
  • SOC 2 / FedRAMP require software inventory documentation
  • Supply chain security — know exactly what’s running
  • Faster CVE scanning — Grype scans SBOMs instead of pulling images

Formats

FormatStandard
cyclonedx-jsonOWASP CycloneDX (default)
spdx-jsonLinux Foundation SPDX

Configuration

spec:
  security:
    syft:
      enabled: true
      schedule: "0 */8 * * *"
      format: cyclonedx-json
      scanOnDeploy: true

Verifying ChangeGuard’s own artifacts

ChangeGuard ships its software the same way it asks you to scan yours. The Helm chart, the operator and agent images, and a CycloneDX SBOM attestation for each are signed with cosign, backed by keys held in AWS KMS. Verify any artifact against the published key before it runs: 
cosign verify --key https://charts.changeguard.ai/cosign.pub \
  public.ecr.aws/m7g7b7v0/changeguard/operator:v3.9.18
A successful verification confirms both the signature and the attached SBOM attestation. Wire the same check into your CI pipeline or an admission controller (Sigstore policy-controller or Kyverno) to enforce that only signed ChangeGuard artifacts are admitted to your cluster.