Configure SBOM analysis

3 minute read

Configure Software Bill of Materials (SBOM) analysis to maintain real-time visibility into direct and transitive dependencies for binary artifacts, supporting software supply chain risk management and compliance requirements.

SBOM analysis automatically generates comprehensive dependency inventories during binary security scanning, making it easier to identify problematic software components and track open-source and commercial software usage across your application portfolio.

For conceptual information about SBOM analysis in application security, refer to Understanding application security posture management.

You need organization Admin permissions to enable security tools and implicit security assessment. For permission details, refer to RBAC permissions reference.

Enable SBOM generation

SBOM analysis requires both implicit security assessment and the Syft SBOM security tool to be enabled for your organization.

To enable SBOM analysis:

  1. Select an organization from the organization selector.

  2. Select Security  Marketplace.

  3. Enable Implicit security assessment if not already active.

  4. Locate and activate the Syft SBOM security tool.

  5. Configure binary security analysis to trigger SBOM generation.

Once enabled, SBOM generation occurs automatically during binary security analysis for every binary artifact your workflows produce.

Understanding SBOM generation

SBOM creation integrates with binary security analysis workflows, generating dependency inventories whenever binary artifacts are scanned for security vulnerabilities.

SBOM generation triggers when:

  • Workflows complete successfully with artifact publication steps that include SBOM-compatible binary files.

  • Binary security analysis processes container images, executable files, or packaged applications.

  • ECR integration automatically scans container images pushed to AWS Elastic Container Registry.

The SBOM generation process:

  1. Analyzes binary artifacts to identify all included software components.

  2. Maps direct dependencies declared in package manifests.

  3. Discovers transitive dependencies included in compiled or packaged artifacts.

  4. Generates comprehensive dependency inventories in the standardized CycloneDX format.

  5. Links SBOM data to security vulnerability analysis for correlation.

Configure SBOM vulnerability scanning

Enhance SBOM analysis by enabling vulnerability scanning of identified dependencies using the Grype security tool.

To configure SBOM vulnerability scanning:

  1. From the Marketplace, ensure both Syft SBOM and Grype security tools are activated.

  2. Configure binary security analysis workflows to include both SBOM generation and vulnerability scanning.

The Grype tool scans SBOM data for known vulnerabilities in dependencies, providing security context for software supply chain risk assessment.

Vulnerability findings from SBOM analysis appear in the component security center alongside other security analysis results.

Access and export SBOM data

Review and export SBOM data for compliance reporting, supply chain analysis, and security assessment purposes.

To access SBOM information:

  1. Select an organization from the organization selector.

  2. Select Components, then select a component with binary artifacts.

  3. Navigate to the security summary section.

You can export SBOM data in CycloneDX format, the industry-standard SBOM format for tool integration and compliance frameworks.

Export capabilities support compliance requirements, security audits, and integration with external software composition analysis tools.

Maintain SBOM currency

SBOM data remains current through automatic regeneration triggered by binary artifact changes and security analysis updates.

SBOM updates occur when:

  • New binary artifacts are produced by workflow execution.

  • Existing artifacts are rebuilt with updated dependencies.

  • Security scanning detects changes in dependency vulnerability status.

  • Package managers resolve different dependency versions during builds.

Current SBOM data reflects the most recent binary artifact analysis for each component, ensuring dependency visibility remains accurate as software evolves.

Integration and compliance considerations

SBOM analysis supports various compliance frameworks and integration scenarios for enterprise software supply chain management.

Compliance framework support:

  • Executive Order 14028 requirements for software supply chain security.

  • NIST Cybersecurity Framework software component identification.

  • ISO/IEC 27001 software asset management requirements.

Integration capabilities:

  • CycloneDX export format enables integration with external compliance and risk management tools.

  • SBOM data correlates with security vulnerability findings for comprehensive risk assessment.

  • Component-level SBOM visibility supports detailed software composition analysis across application portfolios.

Operational considerations:

  • SBOM generation adds minimal overhead to existing binary security analysis workflows.

  • Large applications with complex dependency trees may produce substantial SBOM data requiring appropriate storage and analysis tooling.

  • Regular SBOM export and archival supports historical compliance documentation and audit trail maintenance.