Context
The v0.7 competitor research surfaced bomdrift's differentiator: pre-disclosure supply-chain risk signals (typosquat / maintainer-age / version-jump) that complement-rather-than-overlap the pure CVE focus of incumbents (Snyk, Trivy, Grype, OSV-Scanner). But there's no public artifact showing this in action.
A page that takes a handful of real historical supply-chain incidents and shows whether bomdrift's signals would have caught them at PR-review time — before the incident became a CVE — would be high-leverage for adoption decisions.
Scope
New docs page at docs/src/comparison.md (linked from SUMMARY.md):
Include enough rigor that a CISO can verify the claims: cite issue tracker links, list the bomdrift CLI invocations used, link to fixture SBOMs (could live in tests/fixtures/comparison/).
Acceptance criteria
Tone
Honest. Where bomdrift would NOT have caught an incident (e.g. malicious code in an established package with stable maintainers), say so. The credibility of the page depends on it not over-claiming. Honest "we'd catch this; not that" beats marketing copy.
A note on commit signing
main requires verified signatures (the repo ships cosign-signed releases — we hold our own commits to the same bar).
You usually don't need to set up signing as a contributor — when a maintainer merges via "Merge" or "Squash", GitHub auto-signs the resulting commit and your unsigned PR-branch commits are fine. The friendlier path for everyone.
If you'd like your individual commits to land verbatim on main (so your name shows up in git blame), set up local signing once and your PR can be rebase-merged:
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
Then add the same SSH public key under GitHub → Settings → SSH and GPG keys → Signing keys.
See CONTRIBUTING.md → Commit signing on main for the full picture. Either way, please don't sweat it — if your PR is otherwise great, the maintainer will pick a merge mode that works.
Context
The v0.7 competitor research surfaced bomdrift's differentiator: pre-disclosure supply-chain risk signals (typosquat / maintainer-age / version-jump) that complement-rather-than-overlap the pure CVE focus of incumbents (Snyk, Trivy, Grype, OSV-Scanner). But there's no public artifact showing this in action.
A page that takes a handful of real historical supply-chain incidents and shows whether bomdrift's signals would have caught them at PR-review time — before the incident became a CVE — would be high-leverage for adoption decisions.
Scope
New docs page at
docs/src/comparison.md(linked fromSUMMARY.md):ua-parser-js/colors.js/xzbackdoor /node-ipcprotestware / a recent typosquat). Each case:Include enough rigor that a CISO can verify the claims: cite issue tracker links, list the bomdrift CLI invocations used, link to fixture SBOMs (could live in
tests/fixtures/comparison/).Acceptance criteria
docs/src/comparison.mdexists with at least 3 case studies + summary table + methodology note.SUMMARY.mdlinked.Tone
Honest. Where bomdrift would NOT have caught an incident (e.g. malicious code in an established package with stable maintainers), say so. The credibility of the page depends on it not over-claiming. Honest "we'd catch this; not that" beats marketing copy.
A note on commit signing
mainrequires verified signatures (the repo ships cosign-signed releases — we hold our own commits to the same bar).You usually don't need to set up signing as a contributor — when a maintainer merges via "Merge" or "Squash", GitHub auto-signs the resulting commit and your unsigned PR-branch commits are fine. The friendlier path for everyone.
If you'd like your individual commits to land verbatim on
main(so your name shows up ingit blame), set up local signing once and your PR can be rebase-merged:Then add the same SSH public key under GitHub → Settings → SSH and GPG keys → Signing keys.
See CONTRIBUTING.md → Commit signing on
mainfor the full picture. Either way, please don't sweat it — if your PR is otherwise great, the maintainer will pick a merge mode that works.