generating-and-analyzing-sboms
Generating and Analyzing SBOMs
Authorized Use Only: Generate and scan SBOMs only for software and images you own or are authorized to assess. Treat SBOMs as sensitive inventory data — they reveal your dependency attack surface.
Overview
A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of every component, library, and dependency in a piece of software — the supply-chain equivalent of an ingredients label. SBOMs are central to defending against supply-chain compromise (CISA's SBOM initiative, US Executive Order 14028) because you cannot patch what you cannot see. The two dominant SBOM standards are:
- CycloneDX — an OWASP standard optimized for security use cases (vulnerabilities, VEX, dependency relationships).
- SPDX — a Linux Foundation / ISO standard (ISO/IEC 5962) strong on licensing and provenance.
The reference open-source toolchain is from Anchore:
- Syft generates SBOMs (CycloneDX, SPDX, or its native format) from container images and filesystems.
- Grype matches an SBOM (or image) against vulnerability databases to find CVEs.
- Cosign (Sigstore) signs SBOMs and attaches them to images as signed attestations for tamper-evident provenance.
This skill covers producing standards-compliant SBOMs, correlating them with vulnerability intelligence, and embedding the workflow into CI/CD.