Say "yes" to SBOMs!

Picture this: your software application is running smoothly in production, serving thousands of users. Then, you hear about a new critical vulnerability affecting open-source libraries, and panic sets in. Is your application exposed? If so, which part is at risk? Without a clear map of your software’s components, answering these questions can feel like searching for a needle in a haystack.

This is where a Software bill of materials, or SBOM, becomes invaluable. An SBOM is like a recipe list for your software, cataloging every ingredient − libraries, dependencies, and components making up your application. Just as food labels provide transparency (-ish) about what you’re consuming, an SBOM ensures full visibility into what’s inside your apps.

In this blog, we’ll explore how SBOMs can empower your software teams and win management’s support by improving security, compliance, and efficiency. Finally, we’ll go through generating an SBOM easily using GitLab’s CI/CD pipeline.

Whether you’re a developer, DevOps professional, or manager, understanding SBOMs is a step toward building more secure and transparent software.

I designed this post to help you quickly understand how (and why) to implement SBOMs in your organization. While I tried keeping it concise and to the point, it offers a solid big-picture view to get you started. Vamos! 📖

Why SBOM?

The benefits of SBOM go beyond just ticking boxes for compliance or responding to security scares.
SBOMs bring clarity and control to three critical functions within your organization:

security,
software development,
team leads and management.

In this section, we’ll explore how SBOMs help these teams address vulnerabilities, streamline workflows, and make informed decisions, all while reducing headaches across the board. Whether you’re dealing with cyber threats, juggling dependencies, or evaluating risks, SBOMs offer a practical solution.

For security teams

Rapid vulnerability remediation: When the next big vulnerability (think Log4Shell) hits, an SBOM helps you pinpoint affected components in seconds, not days.
Regulatory compliance: Meeting standards like ISO, NIST, or European software supply chain regulations becomes simpler when you have a clear view of your software’s ingredients. Think of it as a compliance cheat sheet.

Having up-to-date SBOMs also helps security teams become/remain friends with developers, providing more transparency and reducing communication overhead when a particular library needs a minor version bump (for example).

For team leads and managers

Risk assessment made easy (-er): An SBOM is your up-to-date “ingredient list” for identifying what could spoil the recipe: vulnerabilities, outdated libraries, or conflicting licenses.
Downtime reduction: Knowing what’s under the hood means you can proactively address issues before they crash your systems. Fewer fires to put out = happier stakeholders.

For development teams

Simplified audits and maintenance: SBOMs reduce the pain of figuring out “Who added that dependency?” during audits or updates. Everything’s documented.
Improved collaboration: Developers and security teams can finally speak the same language. An SBOM bridges the gap, so security isn’t left wondering, “What’s in this thing?”
Faster onboarding: New team members can quickly understand the software’s structure and dependencies with an SBOM as their roadmap, reducing the learning curve.

In short, SBOMs are your go-to tool for better security, smoother management, and happier teams. And no, they don’t add calories to your workflow 🍰

Management buy-in

Securing management support for adopting SBOMs can sometimes feel like convincing them to buy insurance: it’s an upfront cost for something that might happen. But the benefits are real, and the risks of not having an SBOM are far too significant to ignore. Here’s how to make the case.

Cost-benefit analysis

Proactive savings: An SBOM enables you to spot vulnerabilities and license conflicts^[*] early, saving on expensive last-minute fixes or worse, post-breach recoveries.
Reduced downtime costs: Identifying potential issues before deployment prevents costly outages. Unplanned downtime doesn’t just hit revenue; it affects customer trust. SBOMs help save management’s face too 😉

^[*] license conflicts often fly under the radar—until a compliance audit looms and suddenly, they can’t be ignored. SBOM can solve this issue way before it becomes a real problem for the team.

Case studies

The SolarWinds case, for example: The infamous supply chain attack exploited hidden vulnerabilities, affecting thousands of organizations worldwide. An SBOM could have helped pinpoint risky components and mitigated damage early.
Another lesson is the Equifax breach: exacerbated by an outdated, unpatched dependency. Might have been averted with clear documentation of software components!

Regulatory push

Governments are taking software supply chain risks seriously. Policies like the U.S. Executive Order on Improving the Nation’s Cybersecurity highlight SBOMs as a critical requirement for transparency and accountability. In Europe, similar standards are gaining traction, driven by initiatives such as ENISA’s cybersecurity strategies. Being ahead of these mandates isn’t just good practice − it’s becoming a necessity.

All these should provide a good base to start a discussion with whoever is in charge of making the decision to integrate SBOMs in your organization.

Short demo: SBOM in practice

Theoretical benefits are great, but let’s get practical. Generating an SBOM might sound complex, but modern tools and platforms like GitLab make it straightforward, even painless. Let’s walk through an example to show you how easy it can be. Here’s a step-by-step guide using Gitlab CI/CD:

1. Install tools

First, you’ll need an SBOM generation tool. Popular options include Syft and CycloneDX, both of which are lightweight, open-source, and easy to integrate into a CI/CD pipeline. For this example, we’ll use Syft.
Install it locally to test it out:

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh

Or add it as a dependency in your pipeline container image.

2. Add SBOM Generation to `.gitlab-ci.yml`

Here’s a simple example to generate an SBOM during your build process. Add this snippet to your .gitlab-ci.yml file:

stages: - sbom
sbom: stage: sbom image: name: anchore/syft:latest script: - syft . -o cyclonedx-json > sbom.json artifacts: paths: - sbom.json

❓What’s happening here?

• The job uses the Syft container to scan your project;
• It outputs the SBOM in CycloneDX JSON format;
• The sbom.json file is saved as a pipeline artifact, ready for download and inspection.

3. Review the visual output

After the pipeline runs, download the sbom.json file from your GitLab job artifacts. Here’s an example of what you’ll see in the SBOM:

{ "bomFormat": "CycloneDX", "specVersion": "1.3", "components": [ { "type": "library", "name": "lodash", "version": "4.17.21", "licenses": [ { "license": { "id": "MIT" } } ] }, { "type": "library", "name": "express", "version": "4.17.1", "licenses": [ { "license": { "id": "MIT" } } ] } ] }

❓This output tells us:

• Which components (e.g., lodash, express) your project depends on;
• The versions of those components;
• The associated licenses.

With just a few lines of configuration, we’ve added SBOM generation to our workflow. Modern tools make this process seamless, and once it’s automated, your team can enjoy transparency and security with minimal effort. Plus, you get bragging rights for building a proactive software supply chain defense.

Best practices on using SBOMs

Having an SBOM is a fantastic start, but to fully leverage its benefits, you’ll need to use it effectively. Here are some best practices to ensure your SBOMs remain a valuable asset rather than a forgotten artifact.

This section is heavily inspired by the insights shared in the SANS SEC540: Cloud Security and DevOps Automation I recently had the privilege to attend. It provides invaluable guidance on secure development practices and how to integrate them in your existing workflows and processes. Highly recommended! ⭐️

1. Keep SBOMs updated

SBOMs should reflect the current state of your software. Automate their generation as part of every build to ensure they capture the latest changes in your dependencies.

Stale SBOMs are as useful as expired milk: don’t let them sit.

2. Integrate SBOM checks into your CI/CD

Go beyond generating SBOMs − make them work for you:

Add real-time vulnerability scanning tools (like Grype or Trivy) to your CI/CD pipeline;
Alert developers to known vulnerabilities in components as they’re introduced, saving your team from future firefighting;
Enforce policies, such as flagging or even blocking builds with critical vulnerabilities, to stop risks before they’re deployed.

3. Store SBOMs securely

Your SBOMs are a blueprint for your software. Treat them with the same care as you would any sensitive documentation:

Store in a dry, secure location, like a versioned artifact repository or an internal document management system;
Reference them during audits, security reviews, or when responding to incidents. They’ll save time and help maintain compliance.

By following these best practices, you can turn SBOMs into a cornerstone of your software security and compliance strategy. They’re not just a box to check − they’re a tool to strengthen your processes and protect your organization.

Conclusion and resources

An SBOM might seem like just another item on the ever-growing to-do list for software teams, but it’s a game-changer for security, transparency, and efficiency. Whether you’re fending off vulnerabilities, complying with regulations, or simply trying to bring order to your dependencies, an SBOM is the tool you didn’t know you needed − until now.

Start small: add SBOM generation to your next build. It’s quick to set up, especially with tools like Syft or CycloneDX, and platforms like GitLab make the process seamless. Once you’ve integrated SBOMs into your workflow, you’ll wonder how you ever operated without them.

Useful resources

Here are some useful links to get you started:

Syft Documentation: Lightweight SBOM generator.
CycloneDX Specification: An industry-standard SBOM format.
GitLab SBOM Features: Comprehensive guide to using SBOMs in GitLab.
Grype: Vulnerability scanner for SBOMs.
SPDX Specification: Another widely-used SBOM standard.

By taking the first step toward SBOM adoption, you’re not just ticking a compliance box − you’re building a stronger, more secure foundation for your software. Don’t wait for the next supply chain attack to act. Get started today and take control of what’s in your code.
Thank you for reading! 🙌

PS: Check out how cute Syft‘s logo is!

Say “yes” to SBOMs!