sig-security VS cyclonedx-gomod

It is also interesting to meet the community : the TAGs (Tech Advisor Group) which provide strategic guidance and advice on technical issues, as well as the SIGs (Special Interest Group) which focuses on areas of interest or specific expertise within the Kubernetes community to drive development and innovation. The TAGs are specialized by areas, for example on security or environmental sustainability.

Cloud Native Security Whitepaper

As Daniel Walsh himself wrote in a blog post, CRI-O integrates very well with SELinux and prevents dangerous actions like a container loading an old, unmaintained and therefore potentially vulnerable kernel module and breaking out of the isolation. Additionally, the Kubernetes API itself contains resources to specifically configure SELinux labels for containers. Doesn't sound like something they would do for a tool that "doesn't work with Kubernetes", according to some. Also, the CNCF security whitepaper mentions SELinux as a tool that can be used to provide isolation and limit privileges, which is as much as we could expect from an high-level, architecturally-minded document.

CycloneDx-gomod

I am aware of the cyclonedx-gomod project, but I imagine that if the go tool got native support for sbom generation, it might also be able to provide information about vulnerable code that either are test-code only, or is not in use and does not affect a binary/module/package

CycloneDX is a software bill of material format supported by OWASP.

A good way to illustrate the complexity of this today is parsing through the several thousand lines of Ansible code devoted to dealing with APT or DNF, or how basic operations such as listing Linux packages or Go modules are handled.