How SBOM Fits in CI/CD (Illustration Inside!)

Author

Bibin Wilson
February 14, 2025

In today edition we will look at end to end SBOM workflow.

In yesterday's edition, I spoke about SBOM and why it is important. Please refer to the SBOM edition to learn more.

As a DevOps engineer, it's important to understand this workflow so you can implement it and recommend it to teams, helping improve the delivery pipeline and enhance security.

Centralized SBOM Management

You can easily generate an SBOM for individual apps.

But there will be hundreds to thousands of apps in every organization. So, you need an efficient mechanism to store all the SBOM reports

One such tool is OWASP Dependency-Track.

It is a Continuous SBOM Analysis Platform.

Meaning, the platform continuously monitors vulnerability databases like the National Vulnerability Database (NVD), CVE (Common Vulnerabilities and Exposures), or proprietary databases (e.g., Snyk's database).

It cross-references the dependencies in your SBOM with known vulnerabilities.

The following image shows Dependency track dashboard.

If a vulnerability is reported in a library that your application uses, the platform will detect it.

Also, the platform can be configured to send automated alerts via Email or Integration with ticketing systems (e.g., Jira, ServiceNow).

SBOM CI/CD to Alerting Workflow

Now, lets understand how SBOM integrated with a typical CI/CD workflow.

Here is how it works.

  1. Developer commits code to the repository.

  2. CI/CD pipeline triggers:

    • Builds the application.

    • Generates an SBOM using Syft or CycloneDX.

    • Scans dependencies using OWASP Dependency-Check or Snyk.

  3. SBOM and vulnerability report are uploaded to the centralized platform (e.g., Dependency-Track).

  4. Now, if a new vulnerability (e.g., CVE-2023-12345) is published in the NVD.

  5. The centralized platform (e.g., Dependency-Track) detects that one of your applications uses a vulnerable version of the affected library.

  6. The platform Flags the vulnerability in the dashboard and sends an alert to the relevant team (e.g., DevOps, Security). or creates a ticket in your issue tracker (e.g., Jira).

  7. Teams review the alert and updates the vulnerable dependency to a patched version.

  8. Then CI/CD pipeline re-generates the SBOM and re-uploads it to the platform.

  9. Team verifies that the vulnerability is resolved using the centralized platform.

Overall this workflow provides the following.

  • Automated security checks in CI/CD

  • Real-time vulnerability monitoring

  • Clear response procedures

  • Verification of fixes

  • Audit trail for compliance

Wrapping Up

Even though SBOM management is essential for an organization, it’s often missing in many projects.

Most teams only take action after quarterly or yearly security audits because they’re mandatory. I’ve seen this happen firsthand.

But by proactively tracking SBOMs, you can close security gaps early and make software delivery more secure.

I hope this week's newsletter brought you something new to learn!

If you have any feedback or suggestions, feel free to share them at [email protected]

Reply

or to participate.