Hello,
I’m currently working on an architecture where we generate SBOMs using Syft from a large number of different systems, Docker images, and full operating systems. We may have hundreds of them, and we want to run scans regularly (for example, periodic vulnerability re-evaluation).
From both a performance and correctness perspective, what would be the recommended workflow for large-scale recurring scans?
At the moment, we store part of the SBOM content inside a database. By storing more information from each SBOM, we are considering reconstructing a “global” SBOM and scanning it once per day. The idea would be to reduce the number of scans by scanning only one SBOM for the entire system instead of scanning each individual system separately.
However, this raises several questions:
-
Does Grype rely strictly on a single distribution (distro) context per SBOM?
-
What happens if a reconstructed SBOM accidentally contains packages from different Linux distributions?
-
Would Grype misinterpret vulnerability matches if the distro metadata does not align with all OS packages included in the SBOM?
-
Is there any supported multi-distro SBOM model, or should each distro context always remain strictly isolated?
-
More generally, do you recommend a completely different approach for handling large numbers of SBOMs efficiently and correctly?
Thank you in advance for your guidance.