Day 8 of 60
·
Static analysis & type-time
SBOM & supply-chain provenance
When the next event-stream / SolarWinds / ua-parser-js incident hits, you'll have one job: answer "are we affected?" within hours. SBOMs are how you answer it.
ProblemUnknown dependency lineage; build pipelines compromised by malicious commits or hijacked packages.
How it works
Generate a Software Bill of Materials per build (CycloneDX/SPDX). Sign with sigstore/in-toto. Verify on deploy.
What it catches
Supply-chain attacks (SolarWinds, event-stream, ua-parser-js style). Compliance evidence (SOC2, FedRAMP).
Tools
Syft + Grype · OSS Sigstore / cosign · OSS in-toto · OSS
Verdict by project size
Small
Skip
Medium
Opt
Large
Rec
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 1d | 0.5h | $0 | +0.5m |
| Medium 10–100k LOC | 3d | 2h | $0 | +1m |
| Large 100k–1M LOC | 10d | 10h | $0 | +2m |
| Extra-large >1M LOC | 30d | 40h | $0 | +5m |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Code Build
Per pull request · Runs in CI on every PR; gates merge.
Who owns it
Developer
Authoring + the inner loop
Collaborates with: Security / AppSec
Reference implementations
-
Syft
SBOM generation for filesystems, containers, and language package ecosystems.
-
CycloneDX examples
Reference SBOM documents across ecosystems and serialization formats.
-
Sigstore cosign
Artifact signing and verification examples that complement SBOM generation.
Quick check
An SBOM (Software Bill of Materials) is most useful for…
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.