Software Supply Chain (SBOM, SCA, KEV)
Four coordinated layers that answer OWASP A06, from cloud-side detection to a signed Evidence Bundle.
WASViking® ships software supply chain coverage in four coordinated layers, not four point tools. Cloud-side detection, premise-side SBOM, a CI/CD gate, and a signed Evidence Bundle, all sharing one component inventory and one KEV rule set.
Layer N1: Cloud-side detection
Cloud-side component detection fingerprints components from outside the network using:
- Path regex matchers per ecosystem.
- File and asset SHA1 hashes against a known catalog.
- A Wappalyzer subset for framework detection.
- Meta-generator parsing.
- Response header signals.
- Cookie name signals.
- CMS well-known paths (
/wp-admin/,/administrator/, etc.).
Each detection is enriched with OSV.dev advisories and CISA KEV flags. An EOL heuristic surfaces components past end-of-life.
CWE mapping: CWE-937 (Vulnerable Components), CWE-1104 (Use of Unmaintained Component), CWE-1395 (Outdated Software).
Layer N2: Premise-side SBOM
wasviking-sentinel sbom walks build manifests on the host and produces a
CycloneDX 1.5 SBOM enriched with OSV and KEV. Submitted to your tenant
over the same mTLS tunnel.
See wasviking-sentinel sbom for the agent reference.
Layer N3: CI/CD gate
wasviking-sentinel ci --sca runs the SBOM, OSV, and KEV pass at build time.
Deterministic exit codes: 70 KEV, 71 non-KEV, 72 OK. Pipelines fail
before the merge.
See wasviking-sentinel ci for the gate reference.
Evidence Bundle: vendor due-diligence artifact
A signed per-submission package, plus a consolidated org-wide
CycloneDX, plus a brand cover PDF, plus drift / findings / audit /
compliance CSVs, plus verification.txt.
Distribution model: token + password split share, time-limited,
revocable. Public REST scope sca:read. The same zero-knowledge model
as Posture Shares.
| Action | Endpoint |
|---|---|
| Create bundle | POST /v1/sca/bundles (evidence.share) |
| List bundles | GET /v1/sca/bundles (sca:read) |
| Revoke bundle | POST /v1/sca/bundles/{id}/revoke |
Operators can issue, reissue, and revoke bundles from the portal under Inventory → SBOM.
Component search
The SBOM inventory keeps an inverted index of components across every submission. Use the search to answer questions in one query:
GET /api/v1/inventory/components/search?name=log4j-core&version=2.14.1
{
"matches": 3,
"hosts": ["checkout-api.prod", "billing-worker.stg", "legacy-portal.dr"],
"kev": true,
"first_seen": "2026-04-18T11:02Z"
}
Continuous Supply Chain Watch
Daily cross-reference of every submitted SBOM against OSV and CISA KEV. New advisories become Findings automatically. Re-alerts only fire on meaningful state changes (KEV listing, severity escalation, fix availability).
See the dedicated page: Supply Chain Intel.
Supply-chain IOC (Manual Indicators)
For operator-supplied indicators outside the automated OSV + KEV feeds. Define a package and version range, dry-run to preview matches, apply to promote them to Findings.
See the dedicated page: Supply-chain IOC.
Where it lives in the portal
- Inventory → Software Bill of Materials: submissions and component view.
- Inventory → Supply Chain Intel: Continuous Watch.
- Inventory → Supply-chain IOC: operator-supplied indicators.
- Inventory → SBOM Evidence Bundles: signed audit packages.
- Findings: filterable by category
vulnerable_component. - Settings → API Keys: for
sca:submit,sca:read,sca:ioc, andsca:intel:readscopes.