Stage 5 · Platform
Build, Version & Release
SBOM Generation
Producing CycloneDX and SPDX software bills of materials with Syft and Trivy.
What Is an SBOM?
A Software Bill of Materials (SBOM) is a machine-readable inventory of all components, libraries, and dependencies in a software artifact. It is the software equivalent of a parts list for a car — it tells you exactly what is inside.
SBOMs are critical for supply chain security. When a vulnerability is discovered in a library, you can use your SBOM to quickly determine if you are affected. They are also required by regulations like the US Executive Order on Cybersecurity and EU Cyber Resilience Act.
SBOM Formats
| Format | Standard | Use Case |
|---|---|---|
| SPDX | Linux Foundation | License compliance, legal |
| CycloneDX | OWASP | Vulnerability management, security |
| SWID Tags | ISO/IEC 19770-2 | Enterprise software asset management |
Syft for SBOM Generation
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Syft
uses: anchore/sbom-action/download-syft@v0
- name: Generate SBOM for source code
run: |
syft dir:. -o spdx-json=sbom-source.spdx.json
syft dir:. -o cyclonedx-json=sbom-source.cdx.json
- name: Build Docker image
run: docker build -t myapp:${{ github.sha }} .
- name: Generate SBOM for container image
run: |
syft myapp:${{ github.sha }} -o spdx-json=sbom-image.spdx.json
syft myapp:${{ github.sha }} -o cyclonedx-json=sbom-image.cdx.json
- name: Upload SBOMs
uses: actions/upload-artifact@v4
with:
name: sbom
path: |
sbom-source.spdx.json
sbom-source.cdx.json
sbom-image.spdx.json
sbom-image.cdx.json
- name: Attach SBOM to image
uses: anchore/sbom-action/publish-sbom@v0
with:
image: myapp:${{ github.sha }}
sbom: sbom-image.spdx.jsonSyft scans both source code and container images to generate SBOMs. It supports SPDX and CycloneDX formats. The SBOM can be attached to the container image as metadata for downstream consumers.
Trivy for SBOM
jobs:
sbom-and-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Generate SBOM with Trivy
run: |
trivy image --format cyclonedx \
--output sbom.cdx.json \
myapp:${{ github.sha }
- name: Scan SBOM for vulnerabilities
run: |
trivy sbom sbom.cdx.json \
--severity HIGH,CRITICAL \
--exit-code 1
- name: Attach SBOM to GitHub release
if: startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@v1
with:
files: |
sbom.cdx.json
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Trivy can both generate and scan SBOMs. The two-step process generates the SBOM and then scans it for vulnerabilities. The SBOM is attached to GitHub releases for supply chain transparency.
GitHub Artifact Attestations
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
attestations: write
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t ghcr.io/myorg/myapp:${{ github.sha }} .
- name: Push image
run: docker push ghcr.io/myorg/myapp:${{ github.sha }}
- name: Generate SBOM
run: |
syft dir:. -o cyclonedx-json=sbom.json
- name: Attest SBOM
uses: actions/attest-sbom@v1
with:
subject-name: ghcr.io/myorg/myapp
subject-digest: sha256:${{ steps.build.outputs.digest }}
sbom-path: sbom.json
push-to-registry: trueGitHub attestations cryptographically sign the SBOM and link it to the image. Consumers can verify the attestation to confirm the SBOM was generated by a trusted build process.
Consuming SBOMs
- Dependency-Track — open-source platform that ingests SBOMs and monitors for new vulnerabilities.
- Grype — vulnerability scanner that reads SBOMs and reports known CVEs.
- Snyk — commercial platform with SBOM management and vulnerability monitoring.
- OSV-Scanner — Google's scanner that reads SBOMs and checks against the OSV database.
An SBOM is only useful if it is current. Generate SBOMs in CI for every build and store them alongside the artifact. When a new vulnerability is disclosed, scan your stored SBOMs to determine impact across all your releases.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.