This repository was drafted in an open process by a community of Software Bill of Materials experts, facilitated by the Cybersecurity and Infrastructure Security Agency (CISA). CISA did not draft and is not the author of this repository, nor does this repository represent an official CISA and/or U.S. Government policy. CISA and the U.S. Government do not specifically adopt or endorse the views expressed in this document.
Please read SBOM Community Legal Explanation for additional details.
To learn more about the community-led work to advance and refine SBOM that CISA facilitates, including how to join these open efforts, contact [email protected].
Creating high-quality Software Bills of Materials (SBOMs) is crucial for software transparency and security. However, the current landscape lacks a "golden path" for consistent SBOM generation. This project aims to bridge that gap by providing reference implementations that adhere to our SBOM Lifecycle.
There are several open-source tools that assist with SBOM generation (shout out to Syft and Trivy), but there are two key steps these tools don't perform.
Augmentation: They will not populate top-level metadata (we call this the "augmentation" step) to include license, supplier, and description information.Enrichment: They don't often add additional items for each component in the SBOM from open data sets (we call this the "enrichment" step), which adds the NTIA required fields to each component.
These reference implementations create a complete set of automated steps that anyone can use to create more "complete" SBOMs that demostrate Augmentation and Enrichment.
All reference implementations follow a very similar flow and can easily be adapted to other applications or languages. We're always looking to add additional implementations; pull requests are welcome!
- Keycloak (Java) - Description - GitHub Workflow - GitLab Pipeline
- Django Application (Python) - GitHub Workflow - GitLab Pipeline
- kubectl (Go) - GitHub Workflow - GitLab Pipeline
- Harbor (Go) - GitHub Workflow - GitLab Pipeline
This Tiger Team wrote a white paper to describe the process and results of the SBOM Generation Tiger Team. The draft version of the white paper is available here.
This Tiger Team meets weekly to further refine and improve working examples. Anyone is welcome to join!
Tuesdays @ 10am Eastern / 7am Pacific The Tiger Team completed it objectives and is no longer regularly meeting.
We welcome contributions from anyone in the community, especially individuals with:
- DevSecOps experience (GitLab and GitHub platforms).
- Open-source project experience (asynchronous collaboration).
Please read the Contribution Guidance.
We invite you to participate in this effort to standardize SBOM creation. Stay tuned for further updates!