Creating high-quality Software Bills of Materials (SBOMs) is crucial for software transparency and security. However, the current landscape lacks a "golden path" for consistent SBOM generation. This project aims to bridge that gap by providing reference implementations that adhere to our SBOM Lifecycle.
There are several open-source tools that assist with SBOM generation (shout out to Syft and Trivy), but there are two key steps these tools don't perform.
Augmentation: They will not populate top-level metadata (we call this the "augmentation" step) to include license, supplier, and description information.Enrichment: They don't often add additional items for each component in the SBOM from open data sets (we call this the "enrichment" step), which adds the NTIA required fields to each component.
These reference implementations create a complete set of automated steps that anyone can use to create more "complete" SBOMs that demostrate Augmentation and Enrichment.
All reference implementations follow a very similar flow and can easily be adapted to other applications or languages. We're always looking to add additional implementations; pull requests are welcome!
- Keycloak (Java) - Description - GitHub Workflow - GitLab Pipeline
- Django Application (Python) - GitHub Workflow - GitLab Pipeline
- kubectl (Go) - GitHub Workflow - GitLab Pipeline
- Harbor (Go) - GitHub Workflow - GitLab Pipeline
This Tiger Team meets weekly to further refine and improve working examples. Anyone is welcome to join!
Tuesdays @ 10am Eastern / 7am Pacific
We welcome contributions from anyone in the community, especially individuals with:
- DevSecOps experience (GitLab and GitHub platforms).
- Open-source project experience (asynchronous collaboration).
Please read the Contribution Guidance.
We invite you to participate in this effort to standardize SBOM creation. Stay tuned for further updates!