SBOMs — The Reality Check

KubeCon + CloudNativeCon Europe 2026

Session Date: March 26, 2026 — London

The Core Problem

"When getting an SBOM from someone... ask what tool they used."

  • Different analysis tools produce different results
  • Different standards for package URLs
  • CVE matching varies across tools
  • This is a critical gap in supply chain security

The Integration Gap

  • Most organizations do not do SBOM across the full stack
  • Teams handle parts of the stack in isolation
  • No good integration between systems
  • Shadow IT in SBOM compliance — unapproved tools
  • Some tooling exists, but question is how and where to integrate

Compliance Drift

"Today I am compliant, tomorrow I am not."

  • Static templates and one-time audits don't prevent drift
  • Need continuous compliance validation
  • Every code push, dependency update, and deployment must be checked
  • Compliance is not "check once" — it's "validate continuously"

Key Takeaways

  1. Ask what tool generated an SBOM — different tools produce different results
  2. Full-stack SBOM coverage is rare — most organizations have gaps
  3. Compliance drift is the real operational challenge
  4. Automate validation on every change, not just at release
  5. Integration across systems is the unsolved problem

Questions?

KubeCon EU 2026 — London