u/winter_roth

We've been generating SBOMs for a year. They sit in a repo nobody opens. Our compliance guy asked about them once during an audit, I showed him a JSON file, he nodded, that was it.

Under CRA that changes completely. SBOMs become legally required documentation and should be machine-readable, and continuously updated. Covering at least top-level dependencies for every product you ship to EU customers. They're not a nice artifact you attach to a release note anymore. They're basically evidence at this point.

If your SBOM pipeline is we'll generate it when someone asks or the CI job does it but nobody checks if it's complete, now is the time to fix it. September 2026 is four months away and incomplete SBOMs are the kind of thing that looks fine until a regulator asks.

Just thought you should know : )

Pretty much the title. We have 47 aws accounts across prod, staging, dev, sandbox. The idea of deploying agents to every workload in every single one makes me want to walk into the sea.

Cross-account permissions took us weeks alone. Then agent health monitoring. Then auto-scaling groups launching without the damn agent installed. Every sprint something new broke. Agentless is the only thing that scales.

Change my mind, or better yet, tell me what I'm missing cause every vendor demo makes agents sound like a five minute install and that has not been my reality.