generating-and-analyzing-sboms

Installation
SKILL.md

Generating and Analyzing SBOMs

Authorized Use Only: Generate and scan SBOMs only for software and images you own or are authorized to assess. Treat SBOMs as sensitive inventory data — they reveal your dependency attack surface.

Overview

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of every component, library, and dependency in a piece of software — the supply-chain equivalent of an ingredients label. SBOMs are central to defending against supply-chain compromise (CISA's SBOM initiative, US Executive Order 14028) because you cannot patch what you cannot see. The two dominant SBOM standards are:

  • CycloneDX — an OWASP standard optimized for security use cases (vulnerabilities, VEX, dependency relationships).
  • SPDX — a Linux Foundation / ISO standard (ISO/IEC 5962) strong on licensing and provenance.

The reference open-source toolchain is from Anchore:

  • Syft generates SBOMs (CycloneDX, SPDX, or its native format) from container images and filesystems.
  • Grype matches an SBOM (or image) against vulnerability databases to find CVEs.
  • Cosign (Sigstore) signs SBOMs and attaches them to images as signed attestations for tamper-evident provenance.

This skill covers producing standards-compliant SBOMs, correlating them with vulnerability intelligence, and embedding the workflow into CI/CD.

When to Use

Installs
10
GitHub Stars
24.7K
First Seen
13 days ago
generating-and-analyzing-sboms — mukul975/anthropic-cybersecurity-skills