[Verse 1] When your artifacts take shape from source to binary Two methods wait to catalog what dependencies you carry Build-time scans the moment compilation completes its dance Runtime secrets captured in that final circumstance [Chorus] Build or repo, pick your poison Each reveals what others miss Build-time shows the living pieces Repo holds the static bliss SBOM generation, dual sensation Know the cost of every choice Build or repo, pick your poison Let the architecture voice [Verse 2] Repository analysis dissects the dormant files Searching through the manifests and lock files in neat piles Faster than the build process, no compilation wait But misses what gets bundled when the linker seals your fate [Chorus] Build or repo, pick your poison Each reveals what others miss Build-time shows the living pieces Repo holds the static bliss SBOM generation, dual sensation Know the cost of every choice Build or repo, pick your poison Let the architecture voice [Bridge] Static sees potential threats that might never deploy Dynamic catches actual libs that hackers could destroy Velocity versus accuracy, the eternal tradeoff game Both paths serve the supply chain but results aren't quite the same [Verse 3] Build-time knows the precise versions that actually ship But slows your pipeline drastically, makes CI cycles slip Repo scans show everything declared but not what's truly there Missing transitive dependencies that float within the air [Final Chorus] Build or repo, pick your poison Each reveals what others miss Build-time shows the living pieces Repo holds the static bliss SBOM generation, dual sensation Run them both for clearest sight Build or repo, pick your poison Keep your supply chain tight [Outro] Two roads diverge in scanning wood Both approaches serve you well Choose wisely based on what you need Let resilience be your bell
← Digital Parts and Vulnerable Hearts | Peel the Onion Back →