The Wire · Showcase
PACKER KILLS EXTERNAL SBOM SCANNERS, EMBEDS SYFT NATIVELY
By RepoJournal · Filed · About HashiCorp
Packer's hcp-sbom provisioner just ditched the external binary dependency game and baked Syft directly into the build engine.
The docs are now live for what's been shipping under the hood: `scanner_url` and `scanner_checksum` are deprecated [1], replaced by Packer's embedded Syft SDK handling SBOM generation without external downloads. This matters because your provisioner configs need updating before those fields vanish, and the migration path is straightforward [1]. On the infrastructure side, Consul's Dockerfile got a layer consolidation pass [2], a small move but the kind of housekeeping that keeps your image builds lean and reproducible. Nothing critical across either desk, but the Packer change is the one to track if you're shipping SBOMs in production.
Action items
- → Audit hcp-sbom provisioner configs for scanner_url and scanner_checksum fields before next Packer update hashicorp/packer [plan]
- → Review Consul Dockerfile changes if you maintain custom build pipelines hashicorp/consul [monitor]
References
- [1] docs: Update hcp-sbom provisioner documentation for native SBOM generation ↗ hashicorp/web-unified-docs
- [2] minor improvements in dockerfile ↗ hashicorp/consul
FAQ
- What changed in HashiCorp on June 15, 2026?
- Packer's hcp-sbom provisioner just ditched the external binary dependency game and baked Syft directly into the build engine.
- What should HashiCorp teams do about it?
- Audit hcp-sbom provisioner configs for scanner_url and scanner_checksum fields before next Packer update • Review Consul Dockerfile changes if you maintain custom build pipelines
- Which HashiCorp repositories shipped on June 15, 2026?
- hashicorp/web-unified-docs, hashicorp/consul