sbom-supply-chain

Solid

Generate, attach, and verify SBOMs (CycloneDX/SPDX) for container images; implement SLSA provenance; harden software supply chain.

AI & Automation 14 stars 3 forks Updated 3 days ago MIT

Install

View on GitHub

Quality Score: 86/100

Stars 20%
39
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

# Skill: SBOM & Supply Chain Security > **Expertise:** Syft/Trivy SBOM generation, cosign SBOM attestation, SLSA provenance, dependency pinning, OCI attestations. ## When to load When generating SBOMs for images, attaching attestations to OCI registry, verifying supply chain integrity, or achieving SLSA compliance. ## SBOM Generation (Syft) ```bash # Generate CycloneDX SBOM from image (OCI) syft registry.example.com/myorg/order-service:v1.2.3 \ -o cyclonedx-json=sbom.cdx.json # Generate SPDX SBOM from image syft registry.example.com/myorg/order-service:v1.2.3 \ -o spdx-json=sbom.spdx.json # Generate from local directory (during build) syft dir:. -o cyclonedx-json=sbom.cdx.json # Generate from Dockerfile build context (before push) syft packages docker:myimage:latest -o cyclonedx-json=sbom.cdx.json ``` ## SBOM Attestation via cosign ```bash # Sign image and attach SBOM as OCI attestation # Step 1: Build and push image docker buildx build --push \ -t registry.example.com/myorg/order-service:v1.2.3 . # Step 2: Get digest DIGEST=$(crane digest registry.example.com/myorg/order-service:v1.2.3) # Step 3: Generate SBOM syft registry.example.com/myorg/order-service:v1.2.3 \ -o cyclonedx-json=sbom.cdx.json # Step 4: Attach SBOM as attestation (Sigstore keyless) cosign attest \ --predicate sbom.cdx.json \ --type cyclonedx \ registry.example.com/myorg/order-service@${DIGEST} # Step 5: Verify attestation exists cosign verify-attestation \ --type cyclonedx \ ...

Details

Author
sawrus
Repository
sawrus/agent-guides
Created
3 months ago
Last Updated
3 days ago
Language
Shell
License
MIT

Integrates with

Docker · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

supply-chain

Software supply-chain defense — SBOM generation (CycloneDX/SPDX), SLSA build provenance, artifact signing with sigstore/cosign, dependency-confusion and typosquat defense, and consumer-side verification of what you pull in.

4 Updated 1 weeks ago
roodlicht
AI & Automation Featured

analyzing-sbom-for-supply-chain-vulnerabilities

Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis, software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.

12,642 Updated today
mukul975
AI & Automation Listed

sbom-generate

Emit a CycloneDX 1.6 or SPDX 3.0 SBOM for the project's locked dependency set, suitable for EO 14028 / enterprise procurement

1 Updated 4 days ago
bakw00ds
AI & Automation Solid

sbom-syft

Software Bill of Materials (SBOM) generation using Syft for container images, filesystems, and archives. Detects packages across 28+ ecosystems with multi-format output support (CycloneDX, SPDX, syft-json). Enables vulnerability assessment, license compliance, and supply chain security. Use when: (1) Generating SBOMs for container images or applications, (2) Analyzing software dependencies and packages for vulnerability scanning, (3) Tracking license compliance across dependencies, (4) Integrating SBOM generation into CI/CD for supply chain security, (5) Creating signed SBOM attestations for software provenance.

335 Updated today
aiskillstore
AI & Automation Featured

implementing-image-provenance-verification-with-cosign

Sign and verify container image provenance using Sigstore Cosign with keyless OIDC-based signing, attestations, and Kubernetes admission enforcement.

12,642 Updated today
mukul975