What exactly is in the third-party software packages that I am using in my applications? And what is in the software my partners or service providers are using? This is the question increasingly asked by application security and DevSecOps teams as each subsequent supply chain attack casts further doubt on the contents of software packages, programs and tools. A Software Bill of Materials (SBOM) aims to answer this question by allowing release engineers to create a cryptographically signed “bill-of-materials” for each release. Major open source foundations, tech companies and security organizations are promoting SBOMs as a way to reduce supply chain attack risks and increase trust in software. Many leading open source projects, such as Kubernetes, have adopted SBOMs as part of their release cycles. While the use of SBOMs has expanded dramatically, some confusion remains about what an SBOM can and should do. In this session, Adolfo García Veytia will dive into the nuances of SBOM and share his experience on how to use SBOMs effectively in the software release process. Veytia is a software engineer at Chainguard and also a Kubernetes SIG Release Technical Lead.