From 7d2a72d04cdfdfdda94d3316f00c357e9057239b Mon Sep 17 00:00:00 2001
From: "kiloconnect[bot]" <240665456+kiloconnect[bot]@users.noreply.github.com>
Date: Fri, 5 Jun 2026 18:05:35 +0000
Subject: [PATCH] docs: remove bun caveat and follow-ups from sbom
 documentation

---
 docs/sbom.md | 21 ---------------------
 1 file changed, 21 deletions(-)

diff --git a/docs/sbom.md b/docs/sbom.md
index 2fb4b4e7d..a42e122cc 100644
--- a/docs/sbom.md
+++ b/docs/sbom.md
@@ -33,24 +33,3 @@ syft reads `pnpm-lock.yaml` directly (no `pnpm install` needed) and picks up the
 ```sh
 syft scan dir:. -o cyclonedx-json=cloud-sbom.cyclonedx.json
 ```
-
-## Other repos (kilocode, abuse) — bun caveat
-
-syft cannot parse `bun.lock` (its lock cataloger only handles `package-lock.json`, `yarn.lock`, and
-`pnpm-lock.yaml`). For bun repos you must scan an **installed** tree and explicitly enable the
-package cataloger (it is tagged `image,installed` and is off by default for directory scans):
-
-```sh
-bun install --frozen-lockfile
-syft scan dir:. \
-  --select-catalogers '+javascript-package-cataloger' \
-  --exclude './.git/**' --exclude './**/.turbo/**' --exclude './**/dist/**' \
-  -o cyclonedx-json=sbom.cyclonedx.json
-```
-
-## Follow-ups (not yet implemented)
-
-- **Vulnerability scanning** — pair each SBOM with Grype and upload SARIF to the GitHub Security tab,
-  surfacing OS-package and shipped-image CVEs that Dependabot/CodeQL don't see.
-- **Additional container images** — extend the `deploy-kiloclaw.yml` attestation pattern to gastown,
-  cloud-agent, and other images once each has a registry-push path to attest against.