You're right that the active/dormant detection needs to be customized per type of runtime. It ends up being a mix of both access and execution, and we'll get more sophisticated with eBPF over time. We cover rpm/deb, python and java with the node and others coming very soon. The compiled languages will be our main focus next. For example, Go binaries embed some dependency metadata in the binary itself.
Also related to this effort is the "in-toto" integrity chain: https://in-toto.io/in-toto/ Since we're already connecting build to run, we aim to complete the chain.
You're right that the active/dormant detection needs to be customized per type of runtime. It ends up being a mix of both access and execution, and we'll get more sophisticated with eBPF over time. We cover rpm/deb, python and java with the node and others coming very soon. The compiled languages will be our main focus next. For example, Go binaries embed some dependency metadata in the binary itself.
Also related to this effort is the "in-toto" integrity chain: https://in-toto.io/in-toto/ Since we're already connecting build to run, we aim to complete the chain.