HCP Packer adds SBOM vulnerability scanning
Source: HashiCorp Blog
Artifact visibility
In today’s hybrid‑cloud world, system images (such as AMIs for Amazon EC2, virtual machines, Docker containers, and more) are the foundation of modern computing infrastructure. They sit at the very start of the software security supply chain. As organizations increasingly depend on a complex software supply chain that includes both third‑party and in‑house software packages and dependencies, the need for comprehensive visibility into these components has never been more critical.
A popular solution to address artifact visibility is to keep a record of the components with a software bill of materials (SBOM) for each artifact. SBOMs are like an ingredient list on a food item; they list the internal parts that make up the image.
Background
Last year we introduced new capabilities that empower platform teams to seamlessly generate and securely store SBOMs and surface essential package information for their software artifacts directly in HCP Packer (package visibility beta).
What’s new
- Package visibility is now generally available (GA)
- SBOM vulnerability scanning is available in public beta
With these capabilities, organizations can scan SBOMs for common vulnerabilities and exposures, proactively identify and address risks, and surface these insights directly in HCP Packer. Together, these enhancements help improve software supply‑chain security overall.
SBOM vulnerability scanning
CVE (Common Vulnerabilities and Exposures) scanning focuses on identifying and managing vulnerabilities that have been publicly disclosed. MITRE’s CVE Program provides a global system for assigning unique IDs to known security vulnerabilities, enabling organizations to track, share, and manage fixes consistently.
In HCP Packer you can now:
- See which SBOMs contain known vulnerabilities referenced against MITRE’s CVE database
- Classify findings based on severity
- View affected package versions and detection timestamps
By exposing this information, organizations can make informed remediation decisions, reduce vulnerability risk, streamline compliance, and respond to security incidents with confidence.
Next steps
With SBOM vulnerability scanning now available for HCP Packer artifacts, customers gain deeper visibility into software dependencies, helping them proactively secure their software supply chain and mitigate risk.
- Refer to the SBOM documentation for detailed guidance.
- Follow the Track artifact package metadata tutorial to learn how to create and download SBOMs.
Get started with HCP Packer for free and experience the benefits of a centralized artifact registry in action.