Generating an SBOM in the CI/CD pipeline (the static SBOM) is a fantastic first step, but it represents only the theory: the architectural blueprint.
In practice, modern applications often load plugins or dependencies dynamically at runtime. Through techniques such as eBPF (Extended Berkeley Packet Filter) we can monitor live in the kernel which libraries are actually loaded into memory and generate network traffic. The true compliance auditor looks at runtime, not just at code on disk.
From reading to action
Curious how far your organisation is with the CRA? Test it in two minutes with the free Quickscan, or dive into the 4-week Survival Challenge.