We are excited to announce the release of SBOM vulnerability scanning, now available in public beta for HCP Packer. HCP Packer is a powerful tool that helps organizations manage the lifecycle of their image artifacts across hybrid-cloud environments. With this release, we aim to provide platform teams with further visibility into their images to help address vulnerabilities earlier in the deployment process and shift security left.
»Artifact visibility
In today’s hybrid-cloud world, system images (such as AMIs for Amazon EC2, virtual machines, Docker containers, and more) are the foundation of modern computing infrastructure. They also sit at the very start of the software security supply chain. As organizations increasingly depend on a complex software supply chain that includes both third-party and in-house software packages and dependencies, the need for comprehensive visibility into these components has never been more critical.
A popular solution to address artifact visibility is to keep a record of the components with a software bill of materials (SBOM) for each artifact. SBOMs are like an ingredient list on a food item; they list the internal parts that make up the image.
Background: Last year, we introduced new capabilities that empower platform teams to seamlessly generate and securely store SBOMs and surface essential package information for their software artifacts directly in HCP Packer (package visibility beta).
What’s new: Building on these efforts, we are excited to announce that:
- Package visibility is now generally available (GA)
- SBOM vulnerability scanning is available in public beta
With these new capabilities, organizations can scan SBOMs for common vulnerabilities and exposures to proactively identify and address risks, and surface these insights directly in HCP Packer. Together, these enhancements help organizations improve software supply chain security overall.
»SBOM vulnerability scanning
CVE (Common Vulnerabilities and Exposures) scanning is a type of vulnerability scanning that focuses on identifying and managing vulnerabilities assigned based on publicly disclosed security vulnerabilities in software and hardware. One of the best-known efforts for this is MITRE’s CVE Program, which provides a global system for assigning unique IDs to publicly known security vulnerabilities so organizations can track, share, and manage fixes consistently.
In HCP Packer, you can now see which SBOMs contain known vulnerabilities referenced against MITRE’s CVE database, and classify them based on severity.
By seeing which package versions are affected and when the vulnerabilities were detected, organizations can make informed decisions about remediation priorities and reduce vulnerability risk overall.
Surface vulnerability information directly in HCP Packer
This new capability aims to help organizations identify vulnerabilities faster, streamline compliance efforts, and respond to security incidents with confidence.
»Next steps
With SBOM vulnerability scanning now available for HCP Packer artifacts, customers gain further visibility into software dependencies, helping them proactively secure their software supply chain, and mitigate risk overall.
To get started with this new feature, please refer to our SBOM documentation and our Track artifact package metadata tutorial to learn how to create and download SBOMs. Get started with HCP Packer for free and see the benefits of a centralized artifact registry in action.
