It should generate a sbom and run everyday a SCA analysis over it.

As options user can upload sbom from their providers, so they know one app is affected without scanning it. That third party sbom could be downloaded regularly from an specific url that may require a token.