惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LangChain Blog
博客园 - 司徒正美
美团技术团队
WordPress大学
WordPress大学
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
人人都是产品经理
人人都是产品经理
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
Troy Hunt's Blog
S
Schneier on Security
T
The Exploit Database - CXSecurity.com
P
Proofpoint News Feed
云风的 BLOG
云风的 BLOG
Engineering at Meta
Engineering at Meta
Cisco Talos Blog
Cisco Talos Blog
T
Tor Project blog
B
Blog
NISL@THU
NISL@THU
月光博客
月光博客
博客园 - 【当耐特】
AWS News Blog
AWS News Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
腾讯CDC
L
Lohrmann on Cybersecurity
The Cloudflare Blog
L
LINUX DO - 最新话题
S
Security @ Cisco Blogs
S
Secure Thoughts
Spread Privacy
Spread Privacy
有赞技术团队
有赞技术团队
The Last Watchdog
The Last Watchdog
Project Zero
Project Zero
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Vercel News
Vercel News
H
Hacker News: Front Page
S
SegmentFault 最新的问题
Schneier on Security
Schneier on Security
aimingoo的专栏
aimingoo的专栏
P
Privacy & Cybersecurity Law Blog
博客园 - 三生石上(FineUI控件)
Forbes - Security
Forbes - Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
InfoQ
T
Tailwind CSS Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
G
GRAHAM CLULEY
W
WeLiveSecurity
小众软件
小众软件
Recorded Future
Recorded Future
Cyberwarzone
Cyberwarzone
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org

Aikido Security's Blog

GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
SBOMs in 2026: Everyone's generating them, no one's using them
Jens Gellynck · 2026-06-10 · via Aikido Security's Blog

Published on:

Jun 10, 2026

ENISA just published its SBOM Adoption State of Play 2026, based on a survey of 334 organizations (65% EU-based, 80% directly impacted by the Cyber Resilience Act (CRA)). It is the clearest snapshot yet of where the industry stands on software supply chain transparency, and the picture is more nuanced than "everyone's on board."

Here's what stood out.

The CRA is doing the heavy lifting

Unsurprisingly, the CRA is the number one driver of SBOM adoption. 43% of organizations say the CRA has significantly accelerated their SBOM investment, with another 29% reporting a moderate influence. 78% have started their SBOM journey, and 79% expect to hit the required maturity level by the time the CRA becomes fully applicable in December 2027.

That leaves roughly 1 in 5 organizations expecting to miss the deadline, and 12% can't even estimate a timeline.

Generating SBOMs and using them are two different things

Most organizations now produce SBOMs. 39% generate them at build time, and 74% have at least partially automated per-release generation. But consumption is lagging:

  • 44% report a moderate gap between generating SBOMs and actually utilizing them, and 23% report a significant gap. Only 7% have closed it.
  • 20% of respondents don't know if or how SBOMs are consumed in their organization at all.
  • ENISA's own conclusion is that SBOMs are used "mainly for compliance purposes" rather than active security.

An SBOM sitting unread in an artifact registry is just paperwork. SBOMs only bring value when they feed vulnerability and licensing management. That's where teams are struggling. 58% rate vulnerability matching (CPE/PURL alignment, false positives) as a major challenge, and 60% flag data quality issues like incomplete components and identifiers.

Suppliers aren't sending SBOMs

Most organizations aren't getting SBOMs from their suppliers because most suppliers aren't sending them.

  • 39% of organizations never receive SBOMs for the commercial software they buy. Another 39% only rarely do. Just 2% always receive them.
  • Only 10% have mandatory SBOM clauses in supplier contracts (though 55% are working on it).
  • 45% say fewer than a quarter of their suppliers meet their SBOM requirements.
  • Completeness (27%), identifier accuracy (17%), and vulnerability references (12%) are the top quality gaps.

Depth compounds the quality problem. 36% of organizations need SBOMs covering all primary components and direct dependencies, but only 29% receive that. For full-depth SBOMs, the gap is 24% needed versus 14% received. And 45% don't even know what depth they're getting. 

Since most real-world vulnerabilities hide in transitive dependencies, this directly caps the security value of any SBOM program.

What the data also shows

The report surfaces a few more findings that reveal an industry that understands the problem and is struggling with the follow-through.

What's getting in the way

  • Concern outpaces investment. Over 90% of organizations worry about supply chain security, but only 34% allocate significant resources to it. A skills gap compounds the problem, with 57% citing a lack of skills or staff as a barrier.
  • Completeness is the main barrier. 62% say achieving a high degree of SBOM completeness is quite a lot or extremely difficult.
  • Format wars aren't over. CycloneDX leads (44%) over SPDX (29%), but 28% still use proprietary or non-standard formats. That is a direct compliance risk, since the CRA requires a commonly used, machine-readable format and Germany's BSI guideline explicitly expects CycloneDX 1.6+ or SPDX 3.0.1+.

Who's ahead and what comes next

  • Small companies are quietly ahead. 23-25% of micro and small enterprises report mature, automated SBOM implementation, versus just 4-6% of medium and large ones. Meanwhile 36% of large enterprises see SBOMs as a "mandatory burden".
  • The market wants  a reference implementation with ready-made pipelines (26%), tool benchmarks and a buyer's guide (22%), conformance tests (18%), and a profile defining what a "good enough" SBOM looks like (31%).

What this means in practice

The ENISA data points to utilization as the challenge that will define 2026. That means automated generation on every build, continuous updates across the product support period, vulnerability workflows actually tied to SBOM data, and visibility into what your suppliers ship you. That is where the survey shows the biggest gaps, and it is where the CRA will apply the most pressure.

How Aikido helps you get there

This is where Aikido Security comes in, taking supply chain transparency beyond the compliance checkbox and into your vulnerability and licensing workflows.

One-click SBOM generation in the right format 

With one click, Aikido generates SBOMs for your repositories in CycloneDX and SPDX, the two formats the CRA and BSI guidance point to. This covers the 28% of organizations still stuck on proprietary formats and the "minimum content in machine-readable format" obligation, and exports are ready to drop into your technical documentation when a market surveillance authority comes asking.

SBOM consumption, including self-reported SBOMs

Generating your own SBOM only covers the code you write. Aikido also lets you import SBOMs you receive from vendors and suppliers (self-reported SBOMs), so third-party components get pulled into the same vulnerability monitoring as your own dependencies. Given that 39% of organizations never receive supplier SBOMs and most that do can't act on them, having a place where supplier SBOMs become monitored inventory, continuously matched against known vulnerabilities, closes the consumption gap ENISA describes.

Aikido Device Protection: visibility where SBOMs don't reach

SBOMs describe what is in your products. But your attack surface also includes the machines that build and write that software. Deploying Aikido Device Protection on build servers and developer machines extends that same inventory-and-vulnerability mindset to your development environment, covering which tools, runtimes, and packages are installed, which are outdated or vulnerable, and whether the environment producing your "trusted" builds is itself trustworthy. With supply chain attacks targeting CI pipelines and developer workstations rather than the code itself, this closes a blind spot that no SBOM will ever show you.

Together, these three capabilities let you know what you ship, know what you consume, and know the environment where it is all built. They run continuously, without adding another dashboard your team ignores. That is supply chain security that goes beyond the compliance checkbox.

Last updated on:

Jun 10, 2026

<script type="application/ld+json">
{
 "@context": "https://schema.org",
 "@graph": [
   {
     "@type": "WebPage",
     "@id": "https://www.aikido.dev/blog/sboms-in-2026-everyone-generating-no-one-using",
     "url": "https://www.aikido.dev/blog/sboms-in-2026-everyone-generating-no-one-using",
     "name": "SBOMs in 2026: Everyone's generating them, no one's using them",
     "description": "ENISA's 2026 SBOM Adoption State of Play surveyed 334 organisations and found a consistent gap between generating SBOMs and actually using them. Here is what the data shows and what it means for CRA compliance.",
     "inLanguage": "en",
     "isPartOf": {
       "@type": "WebSite",
       "@id": "https://www.aikido.dev",
       "url": "https://www.aikido.dev",
       "name": "Aikido Security"
     },
     "breadcrumb": {
       "@id": "https://www.aikido.dev/blog/sboms-in-2026-everyone-generating-no-one-using#breadcrumb"
     },
     "mainEntity": {
       "@id": "https://www.aikido.dev/blog/sboms-in-2026-everyone-generating-no-one-using#article"
     },
     "speakable": {
       "@type": "SpeakableSpecification",
       "cssSelector": ["h1", "h2", ".article-summary"]
     }
   },
   {
     "@type": "BreadcrumbList",
     "@id": "https://www.aikido.dev/blog/sboms-in-2026-everyone-generating-no-one-using#breadcrumb",
     "itemListElement": [
       {
         "@type": "ListItem",
         "position": 1,
         "name": "Home",
         "item": "https://www.aikido.dev"
       },
       {
         "@type": "TechArticle",
         "position": 2,
         "name": "Blog",
         "item": "https://www.aikido.dev/blog"
       },
       {
         "@type": "ListItem",
         "position": 3,
         "name": "SBOMs in 2026: Everyone's generating them, no one's using them",
         "item": "https://www.aikido.dev/blog/sboms-in-2026-everyone-generating-no-one-using"
       }
     ]
   },
   {
     "@type": "TechArticle",
     "@id": "https://www.aikido.dev/blog/sboms-in-2026-everyone-generating-no-one-using#article",
     "mainEntityOfPage": {
       "@id": "https://www.aikido.dev/blog/sboms-in-2026-everyone-generating-no-one-using"
     },
     "headline": "SBOMs in 2026: Everyone's generating them, no one's using them",
     "description": "ENISA's 2026 SBOM Adoption State of Play surveyed 334 organisations and found a consistent gap between generating SBOMs and actually using them. Here is what the data shows and what it means for CRA compliance.",
     "datePublished": "2026-06-10T00:00:00Z",
     "dateModified": "2026-06-10T00:00:00Z",
     "timeRequired": "PT7M",
     "inLanguage": "en",
     "url": "https://www.aikido.dev/blog/sboms-in-2026-everyone-generating-no-one-using",
     "canonicalUrl": "https://www.aikido.dev/blog/sboms-in-2026-everyone-generating-no-one-using",
     "author": {
       "@id": "https://www.aikido.dev/authors/nicholas-thomson#person"
     },
     "publisher": {
       "@id": "https://www.aikido.dev#organization"
     },
     "image": {
       "@type": "ImageObject",
       "url": "https://www.aikido.dev/images/blog/sboms-in-2026-cover.png",
       "width": 1200,
       "height": 630,
       "alt": "SBOMs in 2026: Everyone's generating them, no one's using them — Aikido Security"
     },
     "keywords": [
       "SBOM",
       "Software Bill of Materials",
       "Cyber Resilience Act",
       "CRA compliance",
       "software supply chain security",
       "ENISA",
       "CycloneDX",
       "SPDX",
       "SBOM adoption",
       "vulnerability management",
       "supply chain transparency",
       "open source security",
       "SCA",
       "dependency scanning",
       "Aikido Security",
       "SBOM generation",
       "SBOM consumption",
       "transitive dependencies",
       "BSI guidelines",
       "EU cybersecurity"
     ],
     "about": [
       {
         "@type": "DefinedTerm",
         "name": "Software Bill of Materials (SBOM)",
         "description": "A structured list of all components, libraries, and dependencies included in a software product, used for supply chain transparency and vulnerability management."
       },
       {
         "@type": "DefinedTerm",
         "name": "Cyber Resilience Act (CRA)",
         "description": "EU regulation requiring manufacturers of products with digital elements to ensure cybersecurity throughout the product lifecycle, including SBOM requirements, fully applicable December 2027."
       },
       {
         "@type": "DefinedTerm",
         "name": "CycloneDX",
         "description": "An OWASP-maintained SBOM standard and machine-readable format, explicitly expected by Germany's BSI guideline at version 1.6 or higher."
       },
       {
         "@type": "DefinedTerm",
         "name": "SPDX",
         "description": "A Linux Foundation SBOM standard and machine-readable format, explicitly expected by Germany's BSI guideline at version 3.0.1 or higher."
       }
     ],
     "mentions": [
       {
         "@type": "Organization",
         "name": "ENISA",
         "url": "https://www.enisa.europa.eu",
         "description": "European Union Agency for Cybersecurity, publisher of the SBOM Adoption State of Play 2026 report."
       },
       {
         "@type": "Organization",
         "name": "BSI",
         "url": "https://www.bsi.bund.de",
         "description": "Germany's Federal Office for Information Security, which has published SBOM format guidance explicitly requiring CycloneDX 1.6+ or SPDX 3.0.1+."
       },
       {
         "@type": "SoftwareApplication",
         "name": "Aikido Device Protection",
         "url": "https://www.aikido.dev/protect/device-protection",
         "applicationCategory": "SecurityApplication",
         "operatingSystem": "Cross-platform",
         "description": "Aikido Security's endpoint protection for developer devices and build servers, extending inventory and vulnerability monitoring beyond what SBOMs cover."
       },
       {
         "@type": "SoftwareApplication",
         "name": "Aikido SBOM Generator",
         "url": "https://www.aikido.dev/use-cases/sbom-generator-create-software-bill-of-materials",
         "applicationCategory": "SecurityApplication",
         "description": "One-click SBOM generation in CycloneDX and SPDX formats for software repositories, supporting CRA and BSI compliance requirements."
       }
     ],
     "citation": [
       {
         "@type": "CreativeWork",
         "name": "SBOM Adoption State of Play 2026",
         "author": {
           "@type": "Organization",
           "name": "ENISA"
         },
         "url": "https://www.enisa.europa.eu"
       }
     ],
     "articleSection": [
       "The CRA is doing the heavy lifting",
       "Generating SBOMs and using them are two different things",
       "Suppliers aren't sending SBOMs",
       "What the data also shows",
       "What this means in practice",
       "How Aikido helps you get there"
     ],
     "proficiencyLevel": "Intermediate"
   },
   {
     "@type": "Person",
     "@id": "https://www.aikido.dev/authors/nicholas-thomson#person",
     "name": "Nicholas Thomson",
     "jobTitle": "Senior SEO & Growth Lead",
     "worksFor": {
       "@id": "https://www.aikido.dev#organization"
     },
     "url": "https://www.aikido.dev/authors/nicholas-thomson",
     "sameAs": [
       "https://www.linkedin.com/",
       "https://x.com/"
     ]
   },
   {
     "@type": "Organization",
     "@id": "https://www.aikido.dev#organization",
     "name": "Aikido Security",
     "url": "https://www.aikido.dev",
     "logo": {
       "@type": "ImageObject",
       "url": "https://www.aikido.dev/logo.png",
       "width": 200,
       "height": 60,
       "alt": "Aikido Security logo"
     },
     "sameAs": [
       "https://www.linkedin.com/company/aikido-security",
       "https://twitter.com/aikido_security",
       "https://github.com/aikido-security"
     ]
   }
 ]
}
</script>

Tired of false positives?

Try Aikido like 100k others.

Start Now

Get a personalized walkthrough

Trusted by 100k+ teams

Book Now

Scan your app for IDORs and real attack paths

Trusted by 100k+ teams

Start Scanning

See how AI pentests your app

Trusted by 100k+ teams

Start Testing

Full Fathom Five: The context of Anthropic’s Mythos-class public release

You never needed Mythos to find your IDORs and business logic flaws. A look at what Anthropic shipped with Fable 5, and why infosec stays a people problem at heart.

npm v12 delivers one of the biggest security improvements in years

npm v12 makes install scripts opt-in by default, closing the install-time execution path behind a year of npm supply chain worms from Nx to Red Hat.

Code is being written everywhere, and the device is the only constant

Developers are coding everywhere. AI agents, Slack bots, and MCP servers have made the developer device the biggest security blindspot.

#

Aikido Device Protection

Get secure now

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

No credit card required | Scan results in 32secs.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。