@Shawn McCarthy Your point is valid. I was trying to convey they are reactive in a sense that an SBOM is a static historical build record for a given software artifact that doesn't "naturally" reflect dependency changes that have occurred since that build occurred. For immutable images that is OK and important and valuable. However, it's important to monitor dependencies indicated by these SBOMs to anticipate impending changes for future builds. This is the proactive part Im trying to convey. Maybe I could find a better way to make that point more clearly. Thanks for your comment.