SBOM (Software Bill of Materials) is a file that specifies each component of software or a build process. It should be generated after every pipeline run. After it is generated, it must then be signed. You can configure tools or run commands to check for workflows uses tools to verify this. The parameter are tools and commands.

The final package or update to be delivered to a customer may have issues that expose the developer and customers to cybersecurity and privacy risks.

A recommended mitigation is to run a binary scanning or composition analysis tool and ensure the integrity of its product before delivery. The tool can detect potential vulnerabitities and threats, then produce a SBOM of the final package for the customer.

For each pipeline, ensure it signs the Software Bill of Materials it produces on every run.

For each pipeline, configure it to sign its produced Software Bill of Materials on every run.