SBOM Diff - CI/CD Glossary Definition
An SBOM diff shows exactly which dependencies changed between two builds: what was added, removed, or bumped, so a risky transitive change does not slip through unnoticed.
An SBOM diff compares two software bills of materials to show which components were added, removed, or version-changed between builds, making dependency changes and their security impact visible in review.
Diffing SBOMs turns a static inventory into a change signal you can gate on in CI.
In CI
Generating an SBOM per build and diffing against the previous one surfaces surprise transitive upgrades and lets a policy fail the pipeline when a newly introduced component carries a known vulnerability.
Related guides
Provenance Predicate - CI/CD Glossary DefinitionProvenance Predicate: A provenance predicate is the structured claim inside a build attestation that records…
VEX Document - CI/CD Glossary DefinitionVEX Document: A VEX (Vulnerability Exploitability eXchange) document is a machine-readable statement assertin…
Lockfile Drift Detection - CI/CD Glossary DefinitionLockfile Drift Detection: Lockfile drift is when a project’s lockfile no longer matches its manifest, so inst…