CRA in Practice: SBOMs, Vulnerabilities, and Real Action Required in 2026

Agentic SCA is the Next Evolution in Software Supply Chain Integrity

AI didn’t just change how you build software, it broke your process for inspecting it for open source license compliance and security vulnerabilities. In this episode of Sushi Bytes, Shinobi and Gen reconnect with Aaron Branson to unpack FossID’s newly announced Agentic SCA strategy – and why the timing couldn’t be better after our last conversation on SCA in the AI Era. As code generation accelerates and the sheer volume of code explodes, software risk leaders are facing a new reality: more code, more complexity, and less time to react. Aaron breaks down how Agentic SCA shifts the process from passive scanning to active participation – embedding intelligence, automation, and policy enforcement directly into the development workflow. If you’re dealing with AI-generated code, SBOM pressure, or stepping up compliance rigor without slowing developers down – this is the conversation you need right now.

Software Composition in the AI Era

AI is changing how software gets written – but what does that mean for open source compliance and software supply chain security? In this episode of Sushi Bytes, Shinobi and Gen explore SCA in the AI era. As development shifts from prompts to autonomous agents, tool-augmented workflows, and spec-driven engineering, traditional software composition analysis workflows need to evolve. They break down the three major shifts in AI-assisted development and explain why SCA tools must become agent-friendly, tool-driven, and embedded directly into modern development pipelines. If AI is writing the code, someone still needs to understand what’s in it.

Modern Software Bigger SCA Expectations

For years, Software Composition Analysis focused on managing open source consumption and the related legal and security risks – and that was enough. Today, it isn’t. In this episode of Sushi Bytes, Shinobi and Gen sit down with Aaron Branson to unpack why SCA must evolve to meet modern software realities: AI-generated code with unclear provenance, developers contributing back to open source without leaking IP, and regulations like the EU CRA that demand trustworthy, scalable SBOMs. The takeaway? SCA delivers far more ROI when it’s used to manage today’s risks – not yesterday’s assumptions.

CRA in Practice: SBOMs, Vulnerabilities, and Real Action Required in 2026

In the first episode of Sushi Bytes Season Two, Shinobi and Gen welcome Gary Armstrong, Senior Director of Customer Success at FossID, for a practical conversation on what the CRA really requires in 2026 and 2027. Based on Gary’s recent whitepaper, Software Supply Chain Integrity and SBOM Obligations under the EU Cyber Resilience Act, this episode cuts through the noise to explain what you need to do now to be ready.

Due Diligence Déjà Vu: License Compliance in Software M&A

Startups are moving fast – fueled by AI-generated code, experimental “vibe coding,” and a breakneck pace of shipping software. But when those startups become acquisition targets, things can get messy. In this episode, Shinobi goes solo (with Gen temporarily sidelined by a network outage) to unpack how this new wave of coding introduces license risk that traditional SBOMs miss. Learn why SCA-powered software audits are essential for surfacing modified open source fragments, how blind audits protect confidentiality, and why acquirers need more than metadata to see what’s really lurking in a target’s repo.