Modern software is assembled, not just written: nearly 90% of a typical application consists of third-party libraries. If a critical vulnerability like Log4Shell were disclosed tomorrow, how long would it take your team to identify every affected microservice? While large enterprises rely on expensive "Ultimate" licenses, SMEs and independent teams often face a dangerous security gap.
In this session, we will explore how to democratize Software Supply Chain Security (SSCS) by building an automated defense perimeter at zero licensing cost. Through a Live Demo featuring a Docker-based prototype, we will walk through a real-world architecture integrating:
• GitLab Community Edition for pipeline orchestration.
• Trivy and cdxgen for automated SBOM (Software Bill of Materials) generation in CycloneDX format.
• OWASP Dependency-Track for continuous, proactive vulnerability monitoring.
We will go beyond basic scanning by demonstrating how to leverage Artificial Intelligence for code reachability analysis, generating VEX (Vulnerability Exploitability eXchange) files to silence false positives and focus only on actionable risks. We will also discuss how this stack prepares organizations for the upcoming EU Cyber Resilience Act (CRA) requirements