Return to Glossary



The process of comparing a software asset to a trusted, verifiable record of that asset and its composition to ensure that the asset hasn’t been modified or tampered with since creation.

In the context of SBOMs, this means checking a software asset against an immutable, cryptographically-verifiable record of that asset and its components—by comparing each component with its recorded hash, ensuring that none of the components comprising the asset are considered untrusted, and checking the validity of the cryptographic signature on the SBOM.

Last topic: ← Artifact
Next topic: CAS →