Operate's Docker Images Lack SBOM, Creating Critical Supply Chain Blind Spot for Enterprises

Operate's CI/CD pipeline is shipping Docker images without a Software Bill of Materials (SBOM), creating a significant visibility gap for enterprise customers. This omission prevents security and procurement teams from verifying the third-party libraries and dependencies bundled inside the container images they deploy into their infrastructure, leaving them unable to perform essential security audits and compliance checks.

The absence of an SBOM directly impacts enterprise adoption and security posture. Driven by mandates like US Executive Order 14028 and internal security policies, large organizations increasingly require SBOMs as a non-negotiable condition for procurement. Without this formal inventory, customers cannot run their own vulnerability scanners against Operate's dependencies, audit for license compliance, or verify the integrity of the software supply chain. This gap also hinders alignment with critical security frameworks like CSA STAR certification and NIST Secure Software Development Framework (SSDF) practices.

Currently, the `publish.yml` GitHub Actions workflow builds and pushes Docker images but contains no step to generate a CycloneDX or SPDX document. Consequently, no SBOM is attached as a release artifact or pushed to the container registry as an OCI attestation. This operational oversight places Operate at a competitive disadvantage in the enterprise market and exposes its customers to unmanaged supply chain risk, as they are forced to trust the contents of a black-box container.