Notice ID:Ā FA830725RB045
Software Bill of Materials (SBOM) Generation
- The product must support generating SBOMs that comply with accepted industry standards (e.g., SPDX, CycloneDX)
- The product must support generating SBOMs for common programming languages and ecosystems (e.g., npm, Maven, PyPI, Go modules, NuGet, RubyGems, Cargo).
- The product must provide an API and or CLI to generate SBOMs during the build process (CI/CD).
- The product should represent direct and transitive dependencies, including their relationships (e.g., which package depends on which).
Vulnerability Scanning
- The software must integrate with standard vulnerability databases, such as the National Vulnerability Database (NVD), RHSA, GHSA, and other vendor-specific feeds.
- The product must be able to automatically check the discovered components in the SBOM against known vulnerabilities.
Configuration and Compliance
- Product should have a policy engine to flag and specific Dockerfile instructions, with the ability to warn and stop based on specific conditions
- Product should have a policy engine to flag and specific Dockerfile instructions, with the ability to warn and stop based on specific conditions
Instructions to Fill Out: The Government requests that any vendor interested in proposing an alternative solution please fill out theĀ “RFI Anchore Analyzers_V2 Requirements Capability Spread Sheet in Attachment 1. There are **three** tabs, please fill out **three** tabs in the excel file
Not Yet a Premium Partner/Sponsor? Learn more about the OS AI Premium Corporate and Individual Plans here. Plans start at $295 annually.