The Software Bill of Materials (SBOM) is not produced

ID

steps_sbom

Severity

low

Family

SCM

Tags

non-reachable, sbom, security, slsa-1, slsa-2, slsa-3, slsa-4, supply-chain

Description

SBOM (Software Bill of Materials) is a file that specifies each component of software or a build process.

It should be generated after every pipeline run. After it is generated, it must then be signed.

You can configure tools or run commands to check for workflows using tools to verify this. The parameters are tools and commands.

Security

Software Bill of Materials (SBOM) is a file used to validate the integrity and security of a build pipeline.

Signing it ensures that no one tampered with the file when it was delivered. Such interference can happen if someone tries to hide unusual activity.

Validating the SBOM signature can detect this activity and prevent much greater incidents.

Mitigation / Fix

For each pipeline, configure it to sign its produced Software Bill of Materials on every run.