A hands-on workshop on Software Bill of Materials (SBOM) developed for the CRACY project and events. The workshop is built around a deliberately vulnerable Go application to demonstrate real-world software supply chain risks. Participants learn how to generate SBOMs from Go applications using Syft, sign them cryptographically with Cosign, detect vulnerabilities with Grype, automate the workflow with GitHub Actions, and visualize results with Sunshine.
The workshop demonstrates end-to-end SBOM-based security practices in the context of the CRACY project, focusing on software supply chain security and reproducible security workflows.
