HashiCorp is introducing a significant enhancement to its artifact management platform: SBOM vulnerability scanning, now available in public beta for HCP Packer. A robust solution for managing image artifact lifecycles across hybrid-cloud environments, HCP Packer continues to evolve as a central pillar of enterprise infrastructure management. This latest capability is designed to equip platform teams with deeper, more actionable visibility into their image assets — enabling security issues to be identified and addressed earlier in the pipeline and reinforcing the industry's broader push to shift security left.
Artifact visibility
System images form the bedrock of modern computing infrastructure. Whether we're talking about AMIs powering Amazon EC2 instances, virtual machines, Docker containers, or other image formats, these artifacts occupy a foundational position in the software security supply chain. As organizations increasingly lean on intricate ecosystems of third-party libraries, open-source packages, and proprietary dependencies, the imperative for comprehensive visibility into those components has grown substantially more urgent.
One of the most widely adopted approaches to achieving that visibility is the software bill of materials — or SBOM. Functioning much like a nutritional label on a packaged product, an SBOM provides a structured inventory of all internal components that constitute a given image artifact, offering teams a clear and auditable record of exactly what is running in their environments.
Background: Previously, HashiCorp introduced capabilities enabling platform teams to seamlessly generate and securely store SBOMs alongside their artifacts, while also making it possible to surface essential package metadata directly within HCP Packer through the package visibility beta initiative.
What's new: Building on that foundation, two key milestones are being announced today:
- Package visibility has graduated to general availability (GA)
- SBOM vulnerability scanning is now accessible in public beta
Together, these enhancements enable organizations to proactively scan SBOMs for known vulnerabilities and exposures, surface those findings directly within HCP Packer, and take targeted action to strengthen their software supply chain security posture.
SBOM vulnerability scanning
CVE (Common Vulnerabilities and Exposures) scanning is a specialized discipline within vulnerability management, focused on identifying and tracking security weaknesses tied to publicly disclosed vulnerabilities across software and hardware components. The most recognized framework underpinning this practice is MITRE's CVE Program — a globally adopted system that assigns unique identifiers to known security vulnerabilities, enabling organizations worldwide to consistently track, communicate, and remediate issues across their technology stacks.
HCP Packer now integrates directly with this framework. Teams can identify which SBOMs contain vulnerabilities referenced against MITRE's CVE database and classify those findings according to severity level, providing a clear, prioritized picture of risk across their artifact inventory.
By correlating affected package versions with detection timelines, platform and security teams gain the contextual intelligence needed to make informed remediation decisions, systematically reduce exposure across their artifact portfolio, and allocate engineering resources more effectively.
Ultimately, this capability is engineered to accelerate vulnerability discovery, streamline compliance workflows, and give security teams the confidence to respond decisively when incidents arise.
Next steps
With SBOM vulnerability scanning now available across HCP Packer artifacts, organizations gain a more granular lens into their software dependencies — empowering them to proactively harden their supply chains and reduce overall risk exposure throughout the artifact lifecycle.
To begin leveraging this feature, consult the official SBOM documentation and follow the Track artifact package metadata tutorial for step-by-step guidance on generating and managing SBOMs. Get started with HCP Packer at no cost and experience firsthand the operational advantages of a centralized artifact registry.
