Skip to main content

How to generate an SBOM in your CI pipeline

Produce a software bill of materials for every build in CI, store it as an artifact, and scan it for vulnerabilities. Covers SPDX and CycloneDX formats.

Difficulty
Intermediate
Duration
40 minutes
Steps
6

What and why

A software bill of materials (SBOM) is a machine-readable inventory of every component in your software. Generating one per build supports vulnerability response, license compliance, and supply-chain transparency. This tutorial produces and scans an SBOM in CI.

Prerequisites

  • A buildable project or container image.
  • A CI pipeline.
  • Basic awareness of your dependencies.

Steps

1. Choose an SBOM format

The two common standards are SPDX and CycloneDX. Both list components, versions, and licenses. Pick whichever your downstream tools and customers expect; CycloneDX is widely used for security workflows.

2. Add an SBOM generator

Use a generator such as Syft. Add it as a CI step:

      - uses: anchore/sbom-action@v0
        with:
          format: cyclonedx-json
          output-file: sbom.json

The action installs the tool and runs it for you.

3. Generate from source or image

Generate the SBOM from the artifact you ship. For a container, point the tool at the built image so the SBOM reflects the actual runtime contents, not just declared dependencies.

4. Upload the SBOM artifact

      - uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.json

Storing the SBOM with the build makes it retrievable for audits and incident response.

5. Scan the SBOM for vulnerabilities

Feed the SBOM to a scanner such as Grype to find known vulnerabilities without re-analyzing the artifact:

grype sbom:sbom.json

Fail the build on severities above your threshold.

Verification

Open sbom.json and confirm it lists your dependencies with versions and licenses. Run the scanner and confirm it reports findings. Re-run with a known-vulnerable dependency to see the build fail.

Next Steps

Attach the SBOM as a signed attestation to the image. Track SBOM diffs between releases. Feed SBOMs into a central inventory so you can answer 'which builds use this component?' instantly.

Prerequisites

  • A buildable project or image
  • A CI pipeline
  • Basic dependency awareness

Steps

  • 1
    Choose an SBOM format
  • 2
    Add an SBOM generator
  • 3
    Generate from source or image
  • 4
    Upload the SBOM artifact
  • 5
    Scan the SBOM for vulnerabilities
  • 6
    Verify SBOM contents

Category

Security