sbom-gen

star 1

Generates a Software Bill of Materials (SBOM.md) from the codebase for supply chain transparency.

CraigWilsonOZ By CraigWilsonOZ schedule Updated 2/24/2026
play_arrow Run Skill in Manus View GitHub

name: sbom-gen description: Generates a Software Bill of Materials (SBOM.md) from the codebase for supply chain transparency. user-invokable: true disable-model-invocation: false

SBOM Generator

Use this skill when the user asks to generate, update, or refresh the Software Bill of Materials.

Trigger phrases: "generate SBOM", "update SBOM", "software bill of materials", "supply chain", "dependency list"

Instructions

1. Collect Project Metadata

Read VERSION and pyproject.toml to extract:

  • Project name
  • Current version
  • Required Python version
  • Build system

2. Enumerate Python Dependencies

From pyproject.toml, list all dependency groups:

  • [project.dependencies] — core runtime dependencies
  • [project.optional-dependencies.azure] — Azure variant dependencies
  • [project.optional-dependencies.dev] — development and security tooling

For each dependency, record:

  • Package name
  • Version constraint from pyproject.toml
  • Installed version (run pip show <package> if venv is available)
  • PyPI URL: https://pypi.org/project/<package>/
  • Purpose (brief description of why the dependency is used)

3. Enumerate Container Base Images

Read docker/Dockerfile to extract:

  • Base image name and tag
  • Source registry (Docker Hub, MCR, etc.)

4. Enumerate GitHub Actions

Read all .github/workflows/*.yml files and .github/actions/*/action.yml files to extract:

  • Action reference (e.g., actions/checkout@v4)
  • Whether it is pinned to a SHA, tag, or branch
  • Source (first-party actions/* or third-party)

5. Enumerate CI Tools

From workflow files and pyproject.toml [dev] dependencies, list security and CI tools:

  • pip-audit — dependency vulnerability scanning
  • bandit — Python SAST
  • detect-secrets — secret detection
  • pytest — test framework

6. Generate SBOM.md

Write SBOM.md in the repository root using the template below. All tables must be complete and accurate. Use Australian English for prose.

7. Validate

  • Confirm every dependency in pyproject.toml appears in the SBOM
  • Confirm every GitHub Action used in workflows appears in the SBOM
  • Confirm the base image matches docker/Dockerfile
  • Confirm the version matches VERSION

SBOM.md Template

# Software Bill of Materials (SBOM)

> Auto-generated by the `sbom-gen` Copilot skill.
> Last updated: DD/MM/YYYY

## Project

| Field | Value |
| --- | --- |
| Name | `{project_name}` |
| Version | `{version}` |
| Python | `{requires_python}` |
| Licence | MIT |
| Repository | `{repo_url}` |

## Runtime Dependencies

Core dependencies required to run the application.

| Package | Constraint | Installed | Purpose | PyPI |
| --- | --- | --- | --- | --- |
| openai | `>=1.0.0,<3.0.0` | x.y.z | OpenAI API client | [Link](https://pypi.org/project/openai/) |
| ... | ... | ... | ... | ... |

## Azure Variant Dependencies

Additional dependencies for the Azure AI Foundry variant (`pip install ".[azure]"`).

| Package | Constraint | Installed | Purpose | PyPI |
| --- | --- | --- | --- | --- |
| azure-identity | `>=1.16.0,<2.0` | x.y.z | Azure authentication | [Link](https://pypi.org/project/azure-identity/) |
| ... | ... | ... | ... | ... |

## Development Dependencies

Tools used for testing, security scanning, and code quality (`pip install ".[dev]"`).

| Package | Constraint | Installed | Purpose | PyPI |
| --- | --- | --- | --- | --- |
| pytest | `>=8.0.0,<10.0` | x.y.z | Test framework | [Link](https://pypi.org/project/pytest/) |
| ... | ... | ... | ... | ... |

## Container Base Images

| Image | Tag | Registry | Purpose |
| --- | --- | --- | --- |
| python | 3-slim | Docker Hub | Application runtime |

## GitHub Actions

| Action | Version | Pinning | Source |
| --- | --- | --- | --- |
| actions/checkout | v4 | Major tag | First-party |
| ... | ... | ... | ... |

## Supply Chain Controls

**IMPORTANT:** Only list controls that are actually implemented. Do NOT add aspirational or planned items. Inspect the actual files to verify each control:

- Check `.github/dependabot.yml` for Dependabot configuration
- Check `.github/workflows/*.yml` for CI security steps
- Check `.github/hooks-git/pre-commit` for pre-commit controls

Only include a row if you can point to the file and line that implements it.

| Control | Implementation | Status |
| --- | --- | --- |
| {control name} | {file and command that implements it} | ✅ Active |

## Licence Summary

| Package | Licence |
| --- | --- |
| openai | MIT |
| ... | ... |

> Licence information is sourced from PyPI metadata. Verify before redistribution.

After Generating

Report to the user:

  • Number of runtime dependencies listed
  • Number of Azure dependencies listed
  • Number of dev dependencies listed
  • Number of GitHub Actions listed
  • Any supply chain controls marked as planned/missing
  • Confirm SBOM.md was written successfully
Install via CLI
npx skills add https://github.com/CraigWilsonOZ/GitHub-CoPilot-BaseRepo --skill sbom-gen
Repository Details
star Stars 1
call_split Forks 1
navigation Branch main
article Path SKILL.md
More from Creator
CraigWilsonOZ
CraigWilsonOZ Explore all skills →