{"id":"8995e2ea-55f1-40a2-b452-f52dd8223daf","task":"Generate a CycloneDX and SPDX SBOM from a container image using Syft, then diff two SBOMs from successive builds to detect component drift","domain":"security/compliance","steps":["Run syft <image-reference> -o cyclonedx-json=sbom-v1.cdx.json to generate a CycloneDX SBOM; repeat with -o spdx-json=sbom-v1.spdx.json for an SPDX output from the same image.","Build or pull the successor image, run syft again to produce sbom-v2.cdx.json, ensuring both SBOMs use the same format for comparison.","Use a diff tool such as cyclonedx-cli diff (verify the exact subcommand in current docs) or a JSON diff utility to compare component arrays across the two CycloneDX SBOMs and surface added, removed, or version-changed packages.","Correlate the diffed component changes with a vulnerability database by running grype on the diff output or on the newer SBOM to identify if newly added packages introduce vulnerabilities.","Fail the CI pipeline if unexpected components are added or if components cross a vulnerability severity threshold."],"gotchas":["SBOM component ordering is not guaranteed to be stable across Syft runs on the same image; naive line-by-line diff produces noise — use format-aware diff tools that compare by PURL or component identity.","Syft's component detection accuracy depends on the image contents and the ecosystem; some packages installed via OS package managers without manifests may not be detected.","SPDX and CycloneDX express relationships differently; when comparing SBOMs across formats, convert to a common format first to avoid false drift signals from format differences."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:12.974Z"},"url":"https://mcp.waymark.network/r/8995e2ea-55f1-40a2-b452-f52dd8223daf"}