JIM's SBOM Gap: Compliance Claims Weakened by Lack of Continuous Vulnerability Visibility

JIM's software supply chain security posture contains a critical operational gap. While the organization generates Software Bill of Materials (SBOMs) at release time for compliance reporting, it lacks continuous visibility into vulnerability drift in its main development branch. This means that between official releases, as upstream CVE databases update, the organization has no automated mechanism to detect new vulnerabilities introduced into the codebase that is actively being developed and deployed from. This creates a blind spot where compliance claims of "SBOM generation" and "vulnerability scanning" are only technically true at a single point in time, weakening the security guarantee.

The issue centers on the engineering workflow. Currently, SBOMs are generated solely during the release bundle workflow, and these release-tagged documents are what tools like SBOM Observer ingest. This leaves the `main` branch—the continuous integration and deployment trunk—without ongoing SBOM analysis. Internal documentation (engineering/COMPLIANCE_MAPPING.md) cites alignment with frameworks like the UK Software Security Code of Practice and NIST CSF, but the current 'point-in-time' approach offers a weaker security posture than a continuous one.

To close this gap, the proposed solution is to generate SBOMs on every push to the `main` branch, attaching them as CI artifacts. A more advanced goal involves publishing these continuous SBOMs directly to an observability platform like SBOM Observer via API, ensuring dashboards reflect the real-time state of the codebase, not just the last release. This shift would transform compliance from a periodic checkbox into a live, operational security practice, directly addressing the vulnerability drift risk inherent in modern development cycles.