Authorized Use Only: Generate and scan SBOMs only for software and images you own or are authorized to assess. Treat SBOMs as sensitive inventory data — they reveal your dependency attack surface.
A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of every component, library, and dependency in a piece of software — the supply-chain equivalent of an ingredients label. SBOMs are central to defending against supply-chain compromise (CISA's SBOM initiative, US Executive Order 14028) because you cannot patch what you cannot see. The two dominant SBOM standards are:
The reference open-source toolchain is from Anchore:
This skill covers producing standards-compliant SBOMs, correlating them with vulnerability intelligence, and embedding the workflow into CI/CD.
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# via Go, or download a release from https://github.com/sigstore/cosign/releases
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
| ID | Official Technique Name | Relevance to this skill |
|---|---|---|
| T1195.001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools | SBOM generation and vulnerability correlation expose compromised or vulnerable dependencies — the attack surface adversaries abuse under this technique. |
This is a defensive supply-chain skill; the mapping reflects the adversary technique it is designed to detect and mitigate.
-o <format> selects output; cyclonedx-json is security-oriented.
syft alpine:latest -o cyclonedx-json=alpine.cdx.json
Use the dir: source to inventory a checked-out repository; spdx-json for the SPDX standard.
syft dir:. -o spdx-json=app.spdx.json
Produce both standards in a single pass for different consumers.
syft myorg/app:1.4.2 \
-o cyclonedx-json=app.cdx.json \
-o spdx-json=app.spdx.json \
-o table
Decoupling generation from scanning lets you re-scan stored SBOMs as new CVEs land — without rebuilding.
# Scan an existing SBOM
grype sbom:app.cdx.json -o table
# JSON report for automation
grype sbom:app.cdx.json -o json > app.vulns.json
You can also scan an image directly (Grype generates the SBOM internally):
grype myorg/app:1.4.2 -o table
--fail-on exits non-zero at or above a severity, failing the pipeline.
grype sbom:app.cdx.json --fail-on high
Filter out unfixable noise with a .grype.yaml policy (only-fixed: true) or --only-fixed:
grype sbom:app.cdx.json --only-fixed --fail-on critical
Cosign records the SBOM as a signed, in-toto attestation alongside the image in the registry.
# Key-based signing
cosign attest --key cosign.key \
--predicate app.spdx.json \
--type spdxjson \
myorg/app:1.4.2
# Keyless (Sigstore OIDC / Fulcio + Rekor)
COSIGN_EXPERIMENTAL=1 cosign attest \
--predicate app.cdx.json \
--type cyclonedx \
myorg/app:1.4.2
Consumers verify provenance before trusting an image.
cosign verify-attestation --key cosign.pub --type spdxjson myorg/app:1.4.2
Pull the attested SBOM from the registry and re-run Grype as part of continuous monitoring.
cosign download attestation myorg/app:1.4.2 \
| jq -r '.payload' | base64 -d | jq '.predicate' > pulled.spdx.json
grype sbom:pulled.spdx.json -o table
Feed Grype JSON into your vulnerability management workflow: deduplicate by CVE, enrich with EPSS/KEV for prioritization, and track remediation SLAs. Re-scan stored SBOMs on each Grype DB update to catch newly disclosed CVEs in unchanged artifacts.
| Tool | Purpose | Link |
|---|---|---|
| Syft | SBOM generation | https://github.com/anchore/syft |
| Grype | Vulnerability scanning of SBOMs/images | https://github.com/anchore/grype |
| Cosign | SBOM signing/attestation | https://github.com/sigstore/cosign |
| CycloneDX | Security-focused SBOM standard | https://cyclonedx.org/ |
| SPDX | ISO SBOM standard | https://spdx.dev/ |
| CISA SBOM | Guidance and minimum elements | https://www.cisa.gov/sbom |
| Aspect | CycloneDX | SPDX |
|---|---|---|
| Steward | OWASP | Linux Foundation / ISO 5962 |
| Strength | Security, VEX, vulnerabilities | Licensing, provenance |
Common syft -o values |
cyclonedx-json, cyclonedx-xml |
spdx-json, spdx (tag-value) |
--fail-on at an agreed severity