Secure Development & DevSecOps

Automated SBOM Generation

  • May 9, 2025
  • 0

Sherlocked Security – Automated SBOM Generation

Generate, Manage, and Integrate Software Bills of Materials (SBOMs) into Your SDLC

1. Statement of Work (SOW)

Service Name: Automated SBOM Generation & Validation
Client Type: SaaS Platforms, Critical Software Suppliers, DevSecOps Teams
Service Model: SBOM Automation + Supply Chain Mapping + Policy Enforcement
Compliance Coverage: Executive Order 14028, NIST SSDF, NTIA, ISO 5230, PCI-DSS, SOC 2

Assessment Types:

  • Static Analysis for SBOM Extraction (BOM from Source & Artifacts)
  • Container Image & Binary SBOM Generation
  • License & Vulnerability Mapping
  • SBOM Format Validation (CycloneDX, SPDX, SWID)
  • Pipeline Integration & Policy-as-Code Enforcement

2. Our Approach

[SBOM Source Identification] → [Format Selection & Tooling Setup] → [Generation from Code, Images, and Dependencies] → [Validation & Risk Mapping] → [CI/CD Integration] → [Usage Guidance]

3. Methodology

[Codebase & Artifact Review] → [Toolchain Configuration] → [SBOM Extraction & Format Normalization] → [License & CVE Enrichment] → [Compliance & Integration Recommendations]

4. Deliverables to the Client

  1. Complete SBOMs (CycloneDX/SPDX/SWID) for defined components
  2. Dependency and License Inventory Report
  3. CVE Mapping & Vulnerability Correlation
  4. SBOM Generation Pipeline Blueprints
  5. CI/CD Plugins and Hooks for Future Use
  6. Policy-as-Code Enforcement Templates
  7. Optional: Third-party SBOM Ingestion & Aggregation Guide

5. What We Need from You (Client Requirements)

  • Source code repositories or container image registry access
  • Build pipeline configuration (CI tools, workflows, stages)
  • Programming language stack and dependency managers
  • Preferred SBOM format (CycloneDX/SPDX/SWID)
  • Scope (microservices, images, artifacts, environments)
  • NDA and scope agreement

6. Tools & Technology Stack

  • SBOM Tools: Syft, Trivy, CycloneDX CLI, SPDX Tools, Tern
  • Language Tools: pip-audit, npm-audit, cargo-audit, go list, mvn
  • CI/CD: GitHub Actions, GitLab CI, Jenkins, CircleCI
  • SBOM Validators: OSS Review Toolkit (ORT), Dependency-Track
  • Policy Enforcement: In-toto, Sigstore, GUAC, OPA/Rego for gatekeeping
  • Visualization: Grype, OWASP Dependency Track, OWASP SBOM Visualizer

7. Engagement Lifecycle

1. Kickoff & Codebase/Image Scope Review → 2. SBOM Tool Setup → 3. Format Output Generation → 4. CVE/License Enrichment → 5. Integration & Reporting → 6. SBOM Retention/Storage Strategy

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Multi-format Support CycloneDX, SPDX, SWID, and custom SBOM formats supported
Artifact-Wide Coverage Covers code, binaries, container images, and compiled packages
Enriched with CVEs & Licenses Vulnerability and license compliance baked into SBOMs
CI/CD Integration Ready Hooks and templates for pipeline auto-generation
Supply Chain Trust Architecture Integrates signing, verification, and provenance tracking

9. Real-World Case Studies

HealthTech SBOM for FDA Compliance

Issue: Required SBOMs for software components shipped with medical devices.
Fix: Automated SBOM generation integrated into build system, linked to artifact releases and verified via CycloneDX schema.

FinTech CI/CD Dependency Drift

Issue: Dependency versions varied across environments; SBOMs revealed version drift.
Fix: Locked dependencies, added reproducible build flag, SBOMs generated per CI commit.

10. SOP – Standard Operating Procedure

  1. Source Code / Artifact Scope Definition
  2. Choose SBOM Format(s) Based on Use Case
  3. Set Up SBOM Generation Tool (Syft, CycloneDX CLI, etc.)
  4. Extract SBOMs from Images, Packages, Repositories
  5. Normalize Format and Enrich with License + CVE Data
  6. Validate Using Schema Validators and CI Gates
  7. Push SBOMs to Central Registry / Artifact Store
  8. Provide Templates for CI/CD Enforcement and Audit Trail

11. SBOM Generation Checklist

1. SBOM Strategy & Format Selection

  • Determine SBOM use case: compliance, security, licensing, supply chain
  • Choose output format: SPDX, CycloneDX, or SWID
  • Ensure tooling supports reproducible, deterministic SBOMs
  • Align with NTIA minimum elements (supplier, component, version, hash, etc.)
  • Support format conversions and ingestion across tools

2. Source Material Collection

  • Collect inputs from:
    • Source code repositories (Git, Mercurial)
    • Build outputs (JARs, binaries, Python wheels, npm tarballs)
    • Container images (OCI layers)
    • Language package managers (pip, npm, maven, cargo)

3. SBOM Tooling Configuration

  • Install and configure tools like:
    • syft for image and file scans
    • tern for container-based SBOMs
    • cyclonedx-cli and spdx-sbom-generator
  • Customize output metadata (project name, supplier, timestamp, build system)
  • Enable format versioning (CycloneDX v1.5+, SPDX 2.2+)

4. Dependency Enumeration & Metadata Extraction

  • Enumerate:
    • Package names and versions
    • Download URLs or VCS references
    • Hashes (SHA-256, SHA-1, MD5)
    • Licenses (declared and detected)
  • Identify transitive dependencies
  • Cross-reference with known vulnerable versions (CVEs)

5. SBOM Validation & Quality

  • Run schema validation checks for SPDX and CycloneDX
  • Ensure required fields are populated (version, license, supplier, origin)
  • Check for:
    • Orphaned dependencies
    • Duplicate package entries
    • Missing component metadata

6. CVE & License Correlation

  • Enrich SBOM with CVE severity and fix status using tools like Grype
  • Map components to security advisories (OSV, NVD, GHSA)
  • Identify license risks (GPL, AGPL, LGPL, BSD, etc.)
  • Flag non-compliant, unknown, or dual-licensed components

7. CI/CD Pipeline Integration

  • Embed SBOM generation in CI/CD jobs (GitHub Actions, GitLab CI, Jenkins)
  • Store generated SBOMs with artifacts/releases
  • Validate SBOM existence and structure in pull requests
  • Block deployments if critical CVEs are found via SBOM scan
  • Attach SBOMs to container image metadata (OCI annotations)

8. Supply Chain Trust & Signing

  • Sign SBOMs using Cosign or GPG for provenance assurance
  • Use in-toto to link SBOM generation with secure build steps
  • Enforce signature validation in artifact registries
  • Integrate SBOM with GUAC, Sigstore, or Dependency Track platforms

9. SBOM Management & Retention

  • Maintain SBOM history across versions and releases
  • Store SBOMs in centralized, versioned registries (e.g., Harbor, Nexus, Git)
  • Implement retention policies for traceability and audits
  • Integrate SBOM ingestion from third-party vendors (if applicable)

10. Reporting & Continuous Monitoring

  • Report total dependencies, license types, and CVE distribution
  • Export SBOMs in JSON, XML, or YAML formats
  • Visualize dependency graphs and attack surface (via OWASP tools)
  • Automate notifications for new vulnerabilities in existing SBOMs
CI-CD Pipeline Security (Build Test Deploy)
AI-LLM Jailbreak Testing