openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
ea81c38e15
openova/platform/syft-grype
History
talent-mesh 435f49738d feat: restructure platform to 52 components and 9 products 
Technology forecast and strategic review restructure:
- Remove 13 components (backstage, mongodb, activemq, vitess, airflow, camel, dapr, superset, searxng, langserve, trino, lago, rabbitmq)
- Add 10 components (sigstore, syft-grype, nemo-guardrails, langfuse, reloader, matrix, ferretdb, litmus, livekit, coraza)
- Rename product: Synapse → Axon (SaaS LLM Gateway)
- Merge products: Titan + Fuse → Fabric (Data & Integration)
- New product: Relay (Communication)
- Replace Backstage with Catalyst IDP
- Replace MongoDB with FerretDB (MongoDB wire protocol on CNPG)
- Add supply chain security (Sigstore/Cosign, Syft+Grype)
- Add AI safety and observability (NeMo Guardrails, LangFuse)
- Add technology forecast 2027-2030 document
- Full verification pass: zero stale references across all docs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 21:00:19 +00:00
..
README.md feat: restructure platform to 52 components and 9 products 2026-02-26 21:00:19 +00:00

README.md

Syft + Grype

SBOM generation and vulnerability matching for supply chain security.

Category: Supply Chain Security | Type: Mandatory

Overview

Syft generates Software Bill of Materials (SBOM) for container images, and Grype matches SBOMs against vulnerability databases. Together they provide continuous supply chain visibility required by EU CRA and banking regulators.

Key Features

  • SBOM generation in CycloneDX and SPDX formats
  • Vulnerability matching against NVD, GitHub Advisory, OSV databases
  • CI/CD integration via Gitea Actions
  • Runtime scanning via Harbor integration

Integration

Component Integration
Harbor Stores SBOMs as OCI artifacts
Sigstore/Cosign Attaches SBOM attestations to signed images
Trivy Complementary scanning (Trivy for runtime, Grype for CI)
Gitea Actions SBOM generation in build pipeline

Deployment

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: syft-grype
  namespace: flux-system
spec:
  interval: 10m
  path: ./platform/syft-grype
  prune: true

Part of OpenOva