Review target
Choose one component change from the checked-in SBOM examples and trace it through:
- component diff output,
- heuristic risk findings,
- optional policy findings,
- summary or policy sidecar output.
Start with the bounded policy review case study.
Done when
A review comment names the input component, emitted fields, policy explanation, and any unclear boundary. A pull request is optional.
Boundaries
Do not reinterpret local risk buckets as CVE, malware, exploitability, or package safety verdicts. Use checked-in no-network examples only.
Review target
Choose one component change from the checked-in SBOM examples and trace it through:
Start with the bounded policy review case study.
Done when
A review comment names the input component, emitted fields, policy explanation, and any unclear boundary. A pull request is optional.
Boundaries
Do not reinterpret local risk buckets as CVE, malware, exploitability, or package safety verdicts. Use checked-in no-network examples only.