SBOM & Supply Chain Security

Improve release trust with reproducible metadata and verification gates.

When to Use This Skill

Use this skill when:

• Producing SBOMs for container images or application builds

• Verifying dependencies before deploy

• Enforcing signed artifact and provenance policies

• Preparing for SOC2, ISO 27001, or customer security reviews

Recommended Tooling

• SBOM generation: Syft, CycloneDX tools

• Vulnerability matching: Grype, Trivy

• Signing and attestations: Cosign, Sigstore

• Policy enforcement: OPA, Kyverno, admission controllers

Baseline Workflow

• Generate SBOM in SPDX or CycloneDX format during CI builds.

• Create provenance attestations for build steps and source commit.

• Sign image digests and SBOM artifacts with keyless or managed keys.

• Verify signatures and attestations before deployment.

• Archive evidence for audits and incident response.

Example Commands

Generate SBOM for an image

syft registry:ghcr.io/acme/api:1.2.3 -o cyclonedx-json > sbom.json

Sign container image digest

cosign sign ghcr.io/acme/api@sha256:abc123...

Attach SBOM attestation

cosign attest --predicate sbom.json --type cyclonedx ghcr.io/acme/api@sha256:abc123...

Verify signatures

cosign verify ghcr.io/acme/api@sha256:abc123...

Related Skills

• dependency-scanning - Library vulnerability triage

• container-scanning - Container CVE scanning

• policy-as-code - Policy enforcement