HCP Packer provides further artifact visibility with SBOM storage

We are excited to announce the release of software bill of materials (SBOM) storage, now available in public beta for HCP Packer. HCP Packer is a powerful tool that helps organizations manage the lifecycle of their image artifacts across any cloud or on-premises environments. With this release, we aim to provide platform teams with further visibility into their images to help address vulnerabilities earlier in the deployment process and shift security left.

»Challenges in artifact visibility

Images (such as AMIs for Amazon EC2, virtual machines, Docker containers, and more) form the foundation of modern computing infrastructure and sit at the start of the software security supply chain. However, today's platform teams often build and deploy machine artifacts to production without a clear understanding of their internal components. This makes it difficult to:

• Identify vulnerable dependencies
• Track outdated libraries
• Ensure images are meeting compliance requirements

As a result, teams spend significant time manually patching images or relying on incomplete tools, delaying critical fixes and increasing operational risk.

»Solution: SBOM

A popular solution to address this challenge is to keep a record of the components with a software bill of materials (SBOM) for each artifact. This solution is not only popular in the cybersecurity community, it’s also backed by the US government, which considers SBOMs a key component in its 2021 executive order to improve the nation’s cybersecurity.

SBOMs are like an ingredient list on a food item. It lists the internal parts that make up the image. While Packer has supported integrations with third-party SBOM generators, prior to now there was no option to store them and have them readily available for download directly in the HashiCorp Cloud Platform.

»Introducing SBOM storage in HCP Packer

Our latest addition to HCP Packer empowers platform teams to seamlessly generate and securely store SBOMs for Packer-built artifacts directly in the HCP Packer artifact registry. Users can now view details on the components of all their artifacts across cloud and on-prem environments in a single, centralized location.

The SBOMs are generated through CLI-integrated provisioners like Mondoo and stored in industry standard formats: CycloneDX and SPDX. It is worth noting that HCP Packer is compatible with any SBOM generation provisioner, so you can continue using your preferred tools that are already integrated into your workflows. This flexibility ensures that you don’t have to adopt new solutions to take advantage of HCP Packer’s SBOM storage and compliance capabilities.

»Next steps

SBOM storage in HCP Packer helps teams identify vulnerabilities faster, streamline compliance efforts, and respond to incidents with confidence. By providing SBOMs for HCP Packer artifacts, customers gain detailed visibility into software dependencies and are able to proactively secure their software supply chain.

Please refer to our SBOM documentation and our Track artifact package metadata tutorial to learn how to create and download SBOMs. Get started with HCP Packer for free and see the benefits of a centralized artifact registry in action.