_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

SBOM Generation — Software Bill of Materials

03. 09. 2024 1 min read intermediate

SBOM is a list of all components in your software. Required for US federal contractors, useful for everyone.

Formats

  • SPDX: Linux Foundation standard
  • CycloneDX: OWASP standard, security-focused

Generation

Syft — universal

syft . -o spdx-json > sbom.spdx.json syft . -o cyclonedx-json > sbom.cdx.json syft myapp:latest -o spdx-json # Docker image

Trivy

trivy fs –format spdx-json -o sbom.json .

npm

npx @cyclonedx/cyclonedx-npm –output-file sbom.json

Using SBOM

  • Vulnerability matching (grype sbom.json)
  • License compliance
  • Incident response — rapid identification of affected systems
  • Regulatory compliance (EU CRA, US EO 14028)

Key Takeaway

Generate SBOM automatically in CI/CD. CycloneDX for security, SPDX for licenses. It will become mandatory.

securitysbomsupply chaincompliance
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

Supply Chain Security — SLSA, Sigstore, and Software Provenance

Securing the software supply chain. The SLSA framework, Sigstore for artifact signing, and SBOM in CI/CD.

SBOM and Software Supply Chain Security — Protecting the Supply Chain

Software supply chain security in 2026: SBOM, SLSA framework, dependency management and how to protect against...

Log4Shell — Lessons from the Worst Vulnerability of the Decade

CVE-2021-44228 and what we learned. SBOM, dependency scanning, incident response, and supply chain security.