Resolve Concelier/Excititor merge conflicts

samples/scanner/images/distroless-go/README.md

@@ -0,0 +1,3 @@
+# Distroless + Go Sample
+
+Demonstrates a Go binary shipped on top of Distroless. Only the compiled service appears in the usage SBOM, while the Go standard library remains inventory-only and still tracked in the BOM Index.

samples/scanner/images/distroless-go/bom-index.json

@@ -0,0 +1,32 @@
+{
+  "schema": "stellaops/bom-index@1",
+  "image": {
+    "repository": "gcr.io/distroless/base",
+    "digest": "sha256:0dd2f0f15c9f8abfba6a0ce0d7d6a24e2e1071c977733f6e77cbe51b87f15ad9",
+    "tag": "nonroot"
+  },
+  "generatedAt": "2025-10-19T00:00:00Z",
+  "generator": "stellaops/scanner@10.0.0-preview1",
+  "components": [
+    {
+      "purl": "pkg:golang/github.com/stellaops/sample-service@v1.4.0",
+      "layerDigest": "sha256:8888888888888888888888888888888888888888888888888888888888888888",
+      "usage": ["inventory", "runtime"],
+      "licenses": ["Apache-2.0"],
+      "evidence": {
+        "kind": "go-buildinfo",
+        "path": "/workspace/service"
+      }
+    },
+    {
+      "purl": "pkg:golang/std@go1.22.5",
+      "layerDigest": "sha256:9999999999999999999999999999999999999999999999999999999999999999",
+      "usage": ["inventory"],
+      "licenses": ["BSD-3-Clause"],
+      "evidence": {
+        "kind": "go-buildinfo",
+        "path": "/workspace/service"
+      }
+    }
+  ]
+}

samples/scanner/images/distroless-go/inventory.cdx.json

@@ -0,0 +1,34 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-10-19T00:00:00Z",
+    "component": {
+      "type": "container",
+      "name": "distroless-go",
+      "version": "2025.10.0",
+      "bomRef": "pkg:docker/gcr.io/distroless/base@sha256:0dd2f0f15c9f8abfba6a0ce0d7d6a24e2e1071c977733f6e77cbe51b87f15ad9"
+    }
+  },
+  "components": [
+    {
+      "type": "application",
+      "bomRef": "pkg:golang/github.com/stellaops/sample-service@v1.4.0",
+      "name": "github.com/stellaops/sample-service",
+      "version": "v1.4.0",
+      "properties": [
+        {
+          "name": "stellaops.entrypoint",
+          "value": "/workspace/service"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "bomRef": "pkg:golang/std@go1.22.5",
+      "name": "golang-stdlib",
+      "version": "go1.22.5"
+    }
+  ]
+}

samples/scanner/images/distroless-go/usage.cdx.json

@@ -0,0 +1,22 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-10-19T00:00:00Z",
+    "component": {
+      "type": "container",
+      "name": "distroless-go",
+      "version": "2025.10.0",
+      "bomRef": "pkg:docker/gcr.io/distroless/base@sha256:0dd2f0f15c9f8abfba6a0ce0d7d6a24e2e1071c977733f6e77cbe51b87f15ad9"
+    }
+  },
+  "components": [
+    {
+      "type": "application",
+      "bomRef": "pkg:golang/github.com/stellaops/sample-service@v1.4.0",
+      "name": "github.com/stellaops/sample-service",
+      "version": "v1.4.0"
+    }
+  ]
+}