RepoJournal
HashiCorp

@hashicorp

Terraform, Vault, Consul — infra-as-code for ops teams

Pick a date

The Wire · Showcase

PACKER KILLS EXTERNAL SBOM SCANNERS, EMBEDS SYFT NATIVELY

By RepoJournal · Filed · About HashiCorp

Packer's hcp-sbom provisioner just ditched the external binary dependency game and baked Syft directly into the build engine.

The docs are now live for what's been shipping under the hood: `scanner_url` and `scanner_checksum` are deprecated [1], replaced by Packer's embedded Syft SDK handling SBOM generation without external downloads. This matters because your provisioner configs need updating before those fields vanish, and the migration path is straightforward [1]. On the infrastructure side, Consul's Dockerfile got a layer consolidation pass [2], a small move but the kind of housekeeping that keeps your image builds lean and reproducible. Nothing critical across either desk, but the Packer change is the one to track if you're shipping SBOMs in production.

Action items

References

  1. [1] docs: Update hcp-sbom provisioner documentation for native SBOM generation ↗ hashicorp/web-unified-docs
  2. [2] minor improvements in dockerfile ↗ hashicorp/consul

FAQ

What changed in HashiCorp on June 15, 2026?
Packer's hcp-sbom provisioner just ditched the external binary dependency game and baked Syft directly into the build engine.
What should HashiCorp teams do about it?
Audit hcp-sbom provisioner configs for scanner_url and scanner_checksum fields before next Packer update • Review Consul Dockerfile changes if you maintain custom build pipelines
Which HashiCorp repositories shipped on June 15, 2026?
hashicorp/web-unified-docs, hashicorp/consul

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.