Integrate SBOM Generation into a Release Pipeline
Add a release-pipeline stage that scans the release candidate, exports a versioned CycloneDX SBOM, and publishes it as an artifact automatically for every release.
An SBOM is most useful when it is tied to a specific released version and produced automatically. This tutorial adds an SBOM stage to a release pipeline so every release publishes a versioned CycloneDX SBOM with no manual step.
Prerequisites
- A release pipeline (GitHub Actions used here)
- A project with a dependency manifest
Steps
1. Add a release stage
Add a job to your release pipeline that runs after the version is determined and the artifacts are built.
2. Scan the release candidate
Scan the exact commit being released:
npx @vibgrate/cli scan
This ensures the SBOM reflects the released code, not an earlier state.
3. Export a versioned SBOM
Export a CycloneDX SBOM whose filename carries the release version:
vg sbom export --format cyclonedx --out "sbom-$VERSION.cdx.json"
With the no-install form, prefix with npx @vibgrate/cli.
4. Publish the SBOM artifact
Upload the versioned SBOM as a pipeline artifact or attach it to the release. In GitHub Actions:
- run: npx @vibgrate/cli scan
- run: npx @vibgrate/cli sbom export --format cyclonedx --out "sbom-${{ github.ref_name }}.cdx.json"
- uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom-*.cdx.json
5. Confirm the published SBOM
Check the pipeline run; the versioned SBOM appears as a published artifact tied to the release.
Verification
The release job exits 0 and a sbom-<version>.cdx.json artifact is published for the release.
Next Steps
Combine the SBOM stage with a drift gate so the release is blocked on quality, and verify supply-chain posture before the publish step runs.