Software Supply Chain Security: SBOMs and SLSA Guide 2026
Practical guide to SBOMs, SLSA, artifact signing, and vulnerability scanning. Real CI/CD examples and policy templates.
Software Supply Chain Security: A Practical Guide to SBOMs and SLSA in 2026
Every line of code you deploy carries invisible baggage — transitive dependencies, base image layers, build toolchain artifacts — each one a potential entry point for an attacker. In 2026, software supply chain security is no longer a nice-to-have. It is the single most scrutinized attack surface in enterprise security, and the tooling has finally matured to meet the threat.
This guide walks you through the practical side: what an SBOM actually is, how the SLSA framework structures your defenses, and how to wire it all together in a CI/CD pipeline that generates, scans, signs, and enforces every artifact you ship.
Why Supply Chain Security Is the #1 Priority in 2026
Three incidents permanently changed how the industry thinks about supply chains.
SolarWinds (2020) demonstrated that a nation-state actor could compromise a build system and push malicious updates to 18,000 organizations — including US federal agencies — for months without detection. The attack targeted the build pipeline itself, not the source code, making traditional code review useless.
Log4Shell / CVE-2021-44228 (2021) revealed that a single transitive dependency buried six levels deep in your dependency tree could expose your entire infrastructure to remote code execution. Most organizations had no idea they were even running Log4j, because they had no inventory of their software components.
xz-utils / CVE-2024-3094 (2024) was perhaps the most chilling. A threat actor spent over two years earning trust as a maintainer of the xz compression library, eventually inserting a backdoor into versions 5.6.0 and 5.6.1 that targeted SSH authentication on Debian and Fedora systems. It was caught by accident — a Microsoft engineer noticed abnormal CPU usage during SSH logins. Had it reached stable distributions, the impact would have been catastrophic.
These attacks share a common lesson: you cannot secure what you cannot inventory. If you do not have a machine-readable list of every component in your software — and a cryptographic chain of custody for how it was built — you are flying blind.
That is exactly what SBOMs and SLSA solve.
What Is an SBOM? Software Bill of Materials Explained
A Software Bill of Materials (SBOM) is a structured, machine-readable inventory of every component, library, and dependency in a piece of software. Think of it as a nutritional label for your code: it tells you exactly what is inside, who made it, and what version you are consuming.
An SBOM typically includes:
- Component names and versions — every package, library, and module
- Supplier information — who published the component
- Dependency relationships — how components relate to each other (direct vs. transitive)
- Licensing data — what license each component uses
- Unique identifiers — CPE, PURL, or SWID tags for unambiguous identification
- Hash digests — cryptographic checksums for integrity verification
SBOM Formats
Two formats dominate the ecosystem:
SPDX (Software Package Data Exchange) — An ISO/IEC 5962:2021 international standard maintained by the Linux Foundation. SPDX excels at license compliance and is the format most frequently referenced by US government mandates.
CycloneDX — An OWASP standard purpose-built for security use cases. CycloneDX includes native support for vulnerability references (VEX), service definitions, and hardware bill of materials. It is the preferred format for DevSecOps teams focused on vulnerability management.
Both formats support JSON and XML serialization. In practice, most tooling supports both, so pick whichever aligns with your compliance requirements.
Why Regulators Now Mandate SBOMs
The regulatory landscape has shifted decisively toward mandatory SBOM disclosure:
- US Executive Order 14028 (May 2021) requires SBOMs for all software sold to the federal government
- NIST SP 800-218 (SSDF) codifies SBOM generation as a secure development practice
- EU Cyber Resilience Act (CRA) mandates that manufacturers of digital products provide machine-readable SBOMs in their technical documentation, with vulnerability reporting obligations beginning September 11, 2026 and full compliance by December 2027
- FDA Premarket Cybersecurity Guidance requires SBOMs for medical device software
If you sell software to governments, regulated industries, or European markets, SBOM generation is no longer optional — it is a compliance requirement.
The SLSA Framework: Supply-chain Levels for Software Artifacts
Get more insights on Security
Join 2,000+ engineers who get our weekly deep-dives. No spam, unsubscribe anytime.
SLSA (pronounced "salsa") is a security framework from the Open Source Security Foundation (OpenSSF) that provides a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. SLSA gives you a maturity model for your build pipeline — a way to incrementally improve from "we have no provenance" to "our builds are fully tamper-resistant."
SLSA Levels Explained (v1.0+)
| Level | Name | What It Requires |
|---|---|---|
| L0 | No guarantees | No SLSA. No provenance. Software is built and tested locally. |
| L1 | Provenance exists | Build platform automatically generates provenance describing how the artifact was built. Provenance is available to consumers. |
| L2 | Signed provenance | Provenance is digitally signed by the build platform. Signature links the platform to the artifact, making forgery significantly harder. |
| L3 | Hardened builds | Build runs on a hardened, ephemeral environment that resists tampering even from compromised credentials or insiders. Provenance is non-forgeable. |
Most organizations should target SLSA L2 as a baseline — signed provenance from your CI system — and work toward L3 for production-critical software. GitHub Actions, for example, already supports SLSA L3 provenance generation via the slsa-framework/slsa-github-generator project.
Generating SBOMs: Practical Tooling
Let's move from theory to practice. Here are the tools you should know for SBOM generation in a software supply chain security program.
Syft (Anchore)
Syft is the most versatile open-source SBOM generator. It supports container images, filesystems, archives, and individual package manifests.
# Generate SBOM from a container image (CycloneDX JSON)
syft registry.example.com/myapp:v1.2.3 -o cyclonedx-json > sbom-cdx.json
# Generate SBOM in SPDX format
syft registry.example.com/myapp:v1.2.3 -o spdx-json > sbom-spdx.json
# Generate SBOM from a local project directory
syft dir:./src -o cyclonedx-json > sbom-source.json
# Generate multiple formats simultaneously
syft registry.example.com/myapp:v1.2.3 \
-o spdx-json=sbom-spdx.json \
-o cyclonedx-json=sbom-cdx.json
# Scan a Docker archive
docker save myapp:latest -o myapp.tar
syft docker-archive:myapp.tar -o cyclonedx-json > sbom.json
Trivy (Aqua Security)
Trivy combines SBOM generation with vulnerability scanning in a single tool — ideal for teams that want fewer moving parts.
# Generate CycloneDX SBOM from image
trivy image --format cyclonedx --output sbom-cdx.json registry.example.com/myapp:v1.2.3
# Generate SPDX SBOM
trivy image --format spdx-json --output sbom-spdx.json registry.example.com/myapp:v1.2.3
# Generate SBOM from filesystem
trivy fs --format cyclonedx --output sbom.json ./project
# Scan and produce SBOM for a git repository
trivy repo --format cyclonedx --output sbom.json https://github.com/org/repo
Docker SBOM (BuildKit)
Docker Desktop and BuildKit now include native SBOM generation:
# Generate SBOM using Docker's built-in Syft integration
docker sbom myapp:latest --format cyclonedx-json > sbom.json
# Generate SBOM during multi-stage build
docker buildx build --sbom=true --output type=local,dest=./build-output .
GitHub Dependency Graph
GitHub automatically generates a dependency graph for repositories. You can export it as an SPDX SBOM via the API:
# Export SBOM from GitHub (requires repo read access)
gh api repos/OWNER/REPO/dependency-graph/sbom \
--jq '.sbom' > github-sbom-spdx.json
Integrating SBOM into CI/CD
An SBOM is only useful if it is generated automatically on every build. Here is a complete GitHub Actions workflow that generates an SBOM, scans it for vulnerabilities, and attaches it as a build artifact.
GitHub Actions Workflow
name: Build, SBOM, Scan, Sign
on:
push:
branches: [main]
tags: ['v*']
pull_request:
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-secure:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # Required for keyless signing
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push image
id: build
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: Install Syft
uses: anchore/sbom-action/download-syft@v0
- name: Generate SBOM (CycloneDX)
run: |
syft ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} \
-o cyclonedx-json=sbom-cyclonedx.json \
-o spdx-json=sbom-spdx.json
- name: Install Grype
uses: anchore/scan-action/download-grype@v4
- name: Scan SBOM for vulnerabilities
run: |
grype sbom:sbom-cyclonedx.json \
--fail-on critical \
-o table \
-o json=vulnerability-report.json
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Sign container image (keyless)
run: |
cosign sign --yes \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
- name: Attach SBOM to image
run: |
cosign attach sbom \
--sbom sbom-cyclonedx.json \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: security-artifacts
path: |
sbom-cyclonedx.json
sbom-spdx.json
vulnerability-report.json
GitLab CI Example
stages:
- build
- security
build-image:
stage: build
image: docker:24
services:
- docker:24-dind
script:
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
generate-sbom:
stage: security
image: anchore/syft:latest
script:
- syft $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA -o cyclonedx-json > sbom.json
- syft $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA -o spdx-json > sbom-spdx.json
artifacts:
paths:
- sbom.json
- sbom-spdx.json
expire_in: 90 days
scan-vulnerabilities:
stage: security
image: anchore/grype:latest
needs: [generate-sbom]
script:
- grype sbom:sbom.json --fail-on critical -o json > vuln-report.json
artifacts:
paths:
- vuln-report.json
when: always
Vulnerability Scanning with SBOMs
Once you have an SBOM, you can scan it against known vulnerability databases without needing to re-pull or re-analyze the original image. This is the real power of SBOM-based security — decouple the inventory from the scan.
Grype (Anchore)
# Scan an SBOM for vulnerabilities
grype sbom:sbom-cyclonedx.json
# Fail if critical or high severity CVEs are found
grype sbom:sbom-cyclonedx.json --fail-on high
# Output JSON for programmatic processing
grype sbom:sbom-cyclonedx.json -o json > vulnerabilities.json
# Filter to only show fixable vulnerabilities
grype sbom:sbom-cyclonedx.json --only-fixed
Trivy (SBOM Scanning Mode)
# Scan an existing SBOM file
trivy sbom sbom-cyclonedx.json
# Scan with severity filter
trivy sbom sbom-cyclonedx.json --severity CRITICAL,HIGH
# Output in JSON for CI integration
trivy sbom sbom-cyclonedx.json --format json --output trivy-results.json
OSV-Scanner (Google)
OSV-Scanner queries the Open Source Vulnerabilities database, which aggregates data from multiple sources including NVD, GitHub Security Advisories, and language-specific databases:
# Scan SBOM against OSV database
osv-scanner --sbom sbom-spdx.json
# Scan with specific output format
osv-scanner --sbom sbom-cyclonedx.json --format json > osv-results.json
Pro tip: Run multiple scanners. Each vulnerability database has different coverage. Grype uses the Anchore feed, Trivy uses its own aggregated database, and OSV covers sources the others may miss. In production, we run at least two scanners and union the results.
Artifact Signing and Verification
An SBOM tells you what is in your software. Signing tells you who built it and that it has not been tampered with since. Together, they form the foundation of software supply chain security.
Cosign (Sigstore)
Cosign is the industry standard for container image signing. It supports both key-based and keyless signing via OIDC identity providers.
# Generate a key pair (key-based signing)
cosign generate-key-pair
# Sign an image with a local key
cosign sign --key cosign.key registry.example.com/myapp@sha256:abc123...
# Keyless signing (uses OIDC — GitHub, Google, Microsoft identity)
cosign sign --yes registry.example.com/myapp@sha256:abc123...
# Verify a signed image (keyless)
cosign verify \
[email protected] \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
registry.example.com/myapp@sha256:abc123...
# Attach an SBOM to a signed image
cosign attach sbom --sbom sbom.json registry.example.com/myapp@sha256:abc123...
# Verify the attached SBOM
cosign verify-attestation \
--type cyclonedx \
[email protected] \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
registry.example.com/myapp@sha256:abc123...
Why keyless? With keyless signing, Cosign requests an ephemeral key pair, records the signing event on Sigstore's transparency log (Rekor), and discards the private key. There is no key to manage, rotate, or leak. The identity is bound to your CI system's OIDC token, so the provenance is tied to the pipeline that built it.
Notation (Microsoft / Notary v2)
For teams in the Azure ecosystem, Notation provides OCI-native signing:
# Sign with Azure Key Vault
notation sign --signature-format cose \
registry.example.com/myapp@sha256:abc123... \
--plugin azure-kv \
--id https://myvault.vault.azure.net/keys/signing-key/v1
# Verify
notation verify registry.example.com/myapp@sha256:abc123...
Policy Enforcement with OPA/Gatekeeper
Generating SBOMs and signing images is only half the battle. You need admission control that blocks unsigned or vulnerable images from being deployed to your cluster.
Kubernetes Gatekeeper Policy: Require Signed Images
Free Resource
Infrastructure Security Audit Template
The exact audit template we use with clients: 60+ checks across network, identity, secrets management, and compliance.
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: requireimagessigned
spec:
crd:
spec:
names:
kind: RequireImagesSigned
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package requireimagessigned
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not container_signed(container.image)
msg := sprintf(
"Container image %s is not signed. All images must be signed with Cosign before deployment.",
[container.image]
)
}
container_signed(image) {
# Check signature exists via external data or cached verification
data.inventory.signatures[image]
}
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RequireImagesSigned
metadata:
name: require-all-images-signed
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["production", "staging"]
Kyverno Policy: Verify Image Signature and SBOM
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image-signature
spec:
validationFailureAction: Enforce
rules:
- name: verify-cosign-signature
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "registry.example.com/*"
attestors:
- entries:
- keyless:
subject: "[email protected]"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
attestations:
- type: https://cyclonedx.org/bom
conditions:
- all:
- key: "{{ components[].name }}"
operator: AllNotIn
value: ["blocked-package-v1", "known-malicious-lib"]
This policy does two things: it verifies that every image is signed by your CI pipeline's identity, and it checks the attached SBOM attestation to ensure no blocked packages are present.
Real-World Implementation: Complete Pipeline
Here is the end-to-end flow for a mature software supply chain security implementation:
┌─────────────┐ ┌──────────────┐ ┌──────────────┐
│ Developer │────▶│ Git Push │────▶│ CI Pipeline │
│ commits │ │ (signed) │ │ (ephemeral) │
└─────────────┘ └──────────────┘ └──────┬───────┘
│
┌────────────────────────────┼────────────────────────────┐
│ CI Pipeline Steps │
│ │
│ 1. Build image (multi-stage, minimal base) │
│ 2. Generate SBOM with Syft (CycloneDX + SPDX) │
│ 3. Scan SBOM with Grype (fail on critical) │
│ 4. Scan SBOM with Trivy (second opinion) │
│ 5. Sign image with Cosign (keyless, OIDC) │
│ 6. Attach SBOM as attestation │
│ 7. Push to OCI registry │
│ 8. Generate SLSA provenance │
└────────────────────────────┬───────────────────────────┘
│
┌────────────────────────────▼───────────────────────────┐
│ Deployment │
│ │
│ 9. Kubernetes admission controller (Kyverno) │
│ - Verify Cosign signature │
│ - Verify SBOM attestation present │
│ - Check no blocked packages │
│ 10. Deploy to cluster │
│ 11. Continuous monitoring (re-scan SBOMs nightly) │
└────────────────────────────────────────────────────────┘
Step-by-Step Commands
# 1. Build
docker buildx build -t registry.example.com/myapp:v1.0.0 --push .
# 2. Generate SBOM
IMAGE="registry.example.com/myapp:v1.0.0"
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE)
syft $DIGEST \
-o cyclonedx-json=sbom-cdx.json \
-o spdx-json=sbom-spdx.json
# 3. Scan for vulnerabilities (primary scanner)
grype sbom:sbom-cdx.json --fail-on critical -o json > grype-report.json
# 4. Scan for vulnerabilities (secondary scanner)
trivy sbom sbom-cdx.json --severity CRITICAL --exit-code 1
# 5. Sign the image (keyless)
cosign sign --yes $DIGEST
# 6. Attach SBOM as attestation
cosign attest --yes \
--predicate sbom-cdx.json \
--type cyclonedx \
$DIGEST
# 7. Verify (what the admission controller does)
cosign verify [email protected] \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
$DIGEST
cosign verify-attestation --type cyclonedx \
[email protected] \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
$DIGEST
Nightly Re-Scanning
New CVEs are published daily. Your SBOM from yesterday's build might be clean, but today's NVD update could flag a critical vulnerability. Set up a nightly cron job:
#!/bin/bash
# nightly-sbom-rescan.sh
# Re-scan all production SBOMs against latest vulnerability databases
SBOM_DIR="/var/lib/sbom-archive"
ALERT_THRESHOLD="high"
for sbom in "$SBOM_DIR"/*.json; do
echo "Scanning: $sbom"
grype sbom:"$sbom" --fail-on "$ALERT_THRESHOLD" -o json > "/tmp/$(basename $sbom .json)-results.json" 2>&1
if [ $? -ne 0 ]; then
echo "ALERT: New vulnerabilities found in $(basename $sbom)"
# Send alert to your notification channel
curl -s -d "New ${ALERT_THRESHOLD}+ CVEs found in $(basename $sbom)" \
https://ntfy.example.com/security-alerts
fi
done
Compliance: How SBOMs Support Your Audits
SBOMs are not just a security tool — they are a compliance accelerator. Here is how they map to major frameworks:
| Framework | SBOM Requirement | How SBOMs Help |
|---|---|---|
| FedRAMP | Required for systems processing federal data (per EO 14028) | Provides the component inventory auditors request. Demonstrates you know what you are running. |
| SOC 2 | CC7.1 — identify and manage information assets | SBOMs are your machine-readable asset inventory for software components. Automates evidence collection. |
| ISO 27001 | A.8.9 — Configuration management, A.12.6 — Technical vulnerability management | SBOMs feed directly into vulnerability management processes and configuration baselines. |
| EU Cyber Resilience Act | Mandatory SBOM in technical documentation. Vulnerability reporting from Sept 2026. | CycloneDX or SPDX SBOMs satisfy the "machine-readable format" requirement. Automated scanning enables the 24-hour vulnerability disclosure mandate. |
| PCI DSS 4.0 | 6.3 — Identify and manage security vulnerabilities | SBOM-based scanning ensures you know every component and its vulnerability status. |
| HIPAA | Technical safeguard — integrity controls | Signed SBOMs provide tamper-evident software integrity records. |
Practical tip: Archive every SBOM you generate, tagged with the build ID, commit SHA, and timestamp. When an auditor asks "were you running a vulnerable version of library X on date Y?", you can answer definitively in seconds rather than days.
Conclusion: Building Trust in Your Software Supply Chain
Software supply chain security with SBOMs is no longer an emerging practice — it is the baseline expectation for any organization shipping software in 2026. The xz-utils attack proved that even the most trusted open-source projects can be compromised. The EU Cyber Resilience Act, FedRAMP requirements, and industry standards like SLSA have made SBOM generation and artifact signing a compliance necessity.
The good news: the tooling is mature, the standards are stable, and the integration patterns are well-established. You can go from zero to a production-grade supply chain security pipeline in a week:
- Day 1-2: Integrate Syft into your CI pipeline to generate SBOMs on every build
- Day 3-4: Add Grype/Trivy vulnerability scanning with fail gates on critical CVEs
- Day 5: Set up Cosign keyless signing via your CI provider's OIDC identity
- Day 6-7: Deploy Kyverno or Gatekeeper admission policies to enforce signatures in your cluster
Start with SLSA Level 1 (provenance exists), move to Level 2 (signed provenance), and plan your roadmap to Level 3. Every step measurably reduces your attack surface.
The organizations that treat supply chain security as a continuous practice — not a one-time checkbox — are the ones that will weather the next SolarWinds, the next Log4Shell, and the next xz-utils.
Need help implementing software supply chain security for your organization? TechSaaS provides hands-on security assessments, CI/CD pipeline hardening, and DevSecOps consulting for teams building on cloud-native infrastructure. We have implemented SBOM pipelines, SLSA-compliant builds, and zero-trust deployment policies for organizations across regulated industries. Get in touch for a security posture review.
Related Service
Security & Compliance
Zero-trust architecture, compliance automation, and incident response planning.
Need help with security?
TechSaaS provides expert consulting and managed services for cloud infrastructure, DevOps, and AI/ML operations.
We Will Build You a Demo Site — For Free
Like it? Pay us. Do not like it? Walk away, zero complaints. You will spend way less than hiring developers or any agency.
No spam. No contracts. Just a free demo.