Software Bill of Materials (SBOM) has evolved from a compliance checkbox to a cornerstone of modern DevSecOps. This concept has gained importance in software development and cybersecurity to enhance transparency, manage software supply chain risks, and improve overall security by identifying and addressing potential vulnerabilities in software components.
According to the global Software Bill of Materials (SBOM) Market Research Report 2025, the global market for SBOM will reach a revised size of USD 5828 million by 2031. The answer is pretty simple if you are wondering why there is an increasing shift. This shift is driven by the increasing importance of supply chain security and the need for greater transparency and visibility into software components.
At KubeCon 2025, it became clear that SBOM isn’t just a trend, it’s a mandate for secure, transparent, and auditable software supply chains in the cloud-native world.
While Kubernetes continues to mature and organizations adopt microservices at scale, the complexity of application stacks makes it harder to track software components and mitigate vulnerabilities. Enter SBOM—your software’s ingredient list, enabling transparency, traceability, and trust.
In this blog post, we will focus on SBOM’s growing importance and its future prospects.
What is an SBOM and why it matters
A Software Bill of Materials (SBOM) is a detailed inventory of every open-source and proprietary component included in a software application. This includes libraries, dependencies, version numbers, licenses, and metadata.
Much like a food ingredient label, an SBOM tells consumers (in this case, developers, security teams, and auditors) exactly what’s inside the product. This transparency allows organizations to:
- Identify known vulnerabilities quickly
- Respond to zero-day exploits with speed
- Ensure license compliance
- Meet growing regulatory demands, including those from the U.S. Executive Order 14028 on improving national cybersecurity
This level of visibility is no longer optional for cloud-native applications built on open-source packages, containers, and distributed services.
SBOMs take the spotlight at KubeCon 2025
KubeCon 2025 showcased how SBOM tools for Kubernetes are revolutionizing security operations. Across keynotes, breakout sessions, and panel discussions, SBOMs were featured not as a theoretical concept but as an actionable, automated layer of DevSecOps.
Common themes included:
- Shift-left security: Integrating SBOM generation into early stages of CI/CD pipelines
- Compliance acceleration: SBOMs enable faster audit readiness and license tracking
- Security standardization: SBOM formats like SPDX and CycloneDX are becoming industry norms
- Dynamic container environments: Tools now support real-time SBOM updates as images change
Anchore Syft: the open source hero of SBOM automation
Anchore, a software supply chain security leader, has made SBOM generation and vulnerability management more accessible with its open-source CLI tool called Syft.
What is Syft?
Syft is a lightweight, fast SBOM generator that scans container images, filesystems, and code repositories. It identifies and catalogs all software components and outputs results in standardized formats such as CycloneDX and SPDX.
Key features:
- Multi-ecosystem support: Works with Docker, OCI images, filesystems, and directories.
- Seamless CI/CD integration: Ideal for DevOps teams aiming to automate SBOM generation during builds.
- Developer-friendly: Minimal configuration, powerful output, and rich CLI experience.
- Open-source: Completely free to use, fork, and customize.
Why Syft matters for Kubernetes users
In Kubernetes environments where images are spun up and destroyed continuously, generating SBOMs must be automated and scalable. Syft enables teams to embed SBOM generation directly into the build pipeline, creating real-time transparency and significantly reducing risk across CI/CD and production stages.
Anchore’s broader ecosystem: Syft + Grype
To extend SBOM utility, Anchore pairs Syft with Grype, an open-source vulnerability scanner. Grype consumes SBOMs (or scans containers directly) and checks for known vulnerabilities from sources like the NVD (National Vulnerability Database) and GitHub advisories.
This one-two punch, Syft for visibility and Grype for risk detection, gives organizations an actionable security posture for Kubernetes and containerized apps.
Anchore Enterprise
For organizations looking for enterprise-level features (e.g., policy enforcement, deeper analytics, dashboards), Anchore Enterprise offers extended support atop Syft and Grype. It benefits heavily regulated industries like healthcare, finance, and government contractors.
SBOM standards: Why SPDX and CycloneDX matter
One major takeaway from KubeCon is the importance of interoperability. SBOMs must work across tools, environments, and organizations. This is where standards like SPDX (Software Package Data Exchange) and CycloneDX (developed by OWASP) come in. Both are widely adopted and growing in support across the open-source ecosystem. Syft supports both, giving teams flexibility in output and toolchain compatibility.
The road ahead: SBOM as a standard practice
The momentum around SBOMs at KubeCon 2025 signals a clear direction—SBOMs are becoming a default requirement for software development and security governance. As businesses face increasing software supply chain risks, adopting SBOM tools like Syft becomes crucial for secure and scalable Kubernetes workflows. Organizations must automate SBOM generation as part of CI/CD, align with global standards like SPDX and CycloneDX, and integrate with tools like Grype to continuously assess vulnerabilities. This shift toward proactive visibility improves risk management, accelerates compliance efforts, and bolsters overall security resilience.
Conclusion: SBOM is the new default for Kubernetes security
KubeCon 2025 showed that SBOMs are no longer a “nice-to-have”—they’re a necessity for security, compliance, and transparency. As software ecosystems grow more complex and containerized, tools like Anchore Syft empower teams to bring clarity and control to their supply chains.
Whether you’re an enterprise securing hundreds of Kubernetes clusters or a startup looking to shift left, SBOM is your new foundation for secure cloud-native development.
