Tool adds SBOMs for unmanaged C/C++
A new tool called Manifest was highlighted for producing SBOMs for unmanaged C and C++ code—closing a blind spot in embedded and geospatial systems where dependency visibility is poor reported. That matters for classified pipelines that must track legacy binaries inside container images.
Manifest published a cross-platform CLI and GitHub Action that can generate SBOMs from local source trees, container images and filesystem targets [docs.manifestcyber.com]. The platform emits CycloneDX and SPDX SBOMs and adds binary inspection, Nix-package visibility and reachability analysis to help prioritize vulnerabilities by exploitability [cyclonedx.org]. The Manifest CLI supports amd and arm architectures and includes commands shown in examples for scanning container images (e.g., alpine:latest) and merging multiple SBOMs for CI/CD workflows [github.com]. Manifest positioned the commercial release on March 12, 2026 and described the capability as aimed at embedded, medical-device and regulated environments while publishing public docs and a GitHub repo for customer evaluation [morningstar.com].
