By name: sbom-supply-chain description: Generate, sign, and verify SBOMs and provenance attestations to secure the software supply chain. Use when implementing SLSA controls, artifact trust policies, or compliance evidence for releases. license: MIT metadata: author: devops-skills version: "1.0"
SBOM & Supply Chain Security
Improve release trust with reproducible metadata and verification gates.
When to Use This Skill
Use this skill when:
- Producing SBOMs for container images or application builds
- Verifying dependencies before deploy
- Enforcing signed artifact and provenance policies
- Preparing for SOC2, ISO 27001, or customer security reviews
Recommended Tooling
- SBOM generation: Syft, CycloneDX tools
- Vulnerability matching: Grype, Trivy
- Signing and attestations: Cosign, Sigstore
- Policy enforcement: OPA, Kyverno, admission controllers
Baseline Workflow
- Generate SBOM in SPDX or CycloneDX format during CI builds.
- Create provenance attestations for build steps and source commit.
- Sign image digests and SBOM artifacts with keyless or managed keys.
- Verify signatures and attestations before deployment.
- Archive evidence for audits and incident response.
Example Commands
# Generate SBOM for an image
syft registry:ghcr.io/acme/api:1.2.3 -o cyclonedx-json > sbom.json
# Sign container image digest
cosign sign ghcr.io/acme/api@sha256:abc123...
# Attach SBOM attestation
cosign attest --predicate sbom.json --type cyclonedx ghcr.io/acme/api@sha256:abc123...
# Verify signatures
cosign verify ghcr.io/acme/api@sha256:abc123...
Related Skills
- dependency-scanning - Library vulnerability triage
- container-scanning - Container CVE scanning
- policy-as-code - Policy enforcement