cdfoundation/sig-security-sbom

This project is not a software tool but a Special Interest Group (SIG) repository within the CD Foundation. Its primary purpose is governance, best practices, and coordination. With only 19 stars and zero velocity over 6+ years, it represents a stagnant or archived effort rather than a living standard. From a competitive standpoint, the 'defensibility' is near zero as it contains no proprietary logic or high-gravity dataset. The SBOM space has largely consolidated around the SPDX and CycloneDX standards, and the governance energy has shifted toward the OpenSSF (Open Source Security Foundation). Major platforms like GitHub and GitLab have already integrated native SBOM generation (e.g., GitHub's dependency graph and export features), effectively commoditizing the goals of this SIG. For a technical investor, this repository is a historical artifact of early software supply chain discussions rather than a viable project for investment or adoption.