Heisenberg: How We Learned To Stop Worrying And Love The SBOM
Security Boulevard, Thursday, October 23rd, 2025
Over the years, software supply chain security went from 'occasional incident' to a recurring headline. Recently, attackers phished well known maintainers and pushed malicious releases of debug and chalk packages, briefly poisoning projects with billions of weekly downloads.
Key takeaways:
- Heisenberg is an open source tool that automatically scans pull requests (PRs) to flag risky or newly published dependencies before they merge.
- It enables Software Bills of Materials (SBOMs) to be used as actionable defense, detecting supply chain threats early without slowing development.
- Developers can run it as a Command Line Interface (CLI) or GitHub Action (GHA) to instantly identify risky packages and strengthen their workflows.
Over the years, software supply chain security went from 'occasional incident' to a recurring headline.