Who requires an SBOM?

US Executive Order 14028 (May 2021) mandated SBOMs for software sold to the US federal government. The EU Cyber Resilience Act (CRA) requires SBOMs for products with digital elements sold in the EU. Enterprise procurement teams, particularly in financial services, healthcare, and critical infrastructure, are increasingly requiring SBOMs as part of vendor onboarding. ISO 27001 and SOC 2 auditors are starting to ask for them.

How do I generate an SBOM?

For container images, use Syft (free, open source), run 'syft -o cyclonedx-json'. For application dependencies, use CycloneDX language plugins (available for Node.js, Python, Java, Go, .NET). For a complete pipeline integration, tools like Snyk, Anchore, and Dependency-Track can generate and continuously monitor SBOMs as part of your CI/CD workflow.

SBOM 101: Why Software Bills of Materials Matter

In December 2021, a security researcher published a proof-of-concept exploit for a vulnerability in Apache Log4j, a Java logging library so ubiquitous that most developers had never consciously chosen to use it. It was just there, pulled in as a transitive dependency by something else they were using. Within 72 hours, over 625,000 applications were under active attack.

The organisations that contained the damage fastest had one thing in common: they knew what was in their software. They had a list. They could search it, sort it by component, and immediately identify every system that needed patching. Everyone else was doing archaeology, manually digging through codebases, dependency trees, and container images trying to answer a question they should have been able to answer in seconds.

That list has a name. It is called a Software Bill of Materials. And after Log4Shell, the question shifted from “should we have one?” to “why don't we already?”

“An SBOM is the difference between knowing your exposure in 30 seconds and spending three weeks in a war room. Log4Shell did not create the SBOM conversation, it ended the debate about whether it was necessary.”

— Soham Sawant, Cybersecurity Expert & Technical Writer, SecComply

What Is an SBOM?

📖 Definition, Software Bill of Materials (SBOM)

Think of it as the ingredient label for software. Just as a food label tells you exactly what is inside the product, not just the headline ingredients but the additives, preservatives, and allergens, an SBOM tells you exactly what is inside your application, including the things you did not consciously choose to include.

The analogy to a food ingredient label is more precise than it first appears. When a food safety recall happens, manufacturers with accurate ingredient labels can immediately determine whether they are affected. Those without them have to audit every product line from scratch. Software supply chain incidents work exactly the same way.

An SBOM typically captures for each component: its name and version, the supplier, the relationship to your software (direct dependency or transitive), the licence, known vulnerabilities (CVEs), and cryptographic hash for integrity verification. The minimum elements required by the US National Telecommunications and Information Administration (NTIA) for a “baseline” SBOM are supplier name, component name, version, unique identifier, dependency relationships, author of SBOM data, and timestamp.

Software supply chain security and component inventory management — A Software Bill of Materials gives you complete visibility into every component in your software, the ones you chose, and the ones that came along for the ride.

Why SBOMs Are No Longer Optional

SBOMs have existed as a concept for years. What changed is the regulatory and commercial pressure that has made them a hard requirement rather than a best practice.

US Executive Order 14028 (May 2021)

Following the SolarWinds supply chain attack, President Biden signed EO 14028 on Improving the Nation's Cybersecurity. Section 4 specifically mandated that software vendors selling to the US federal government must provide an SBOM. This single order created a wave of procurement requirements that quickly spread beyond federal contracts into enterprise software buying generally.

EU Cyber Resilience Act (CRA)

The EU CRA, which entered into force in 2024, requires manufacturers of products with digital elements sold in the EU to maintain SBOMs throughout the product lifecycle. This includes IoT devices, software products, and connected hardware. Non-compliance can result in fines of up to €15 million or 2.5% of global annual turnover.

Enterprise Procurement Requirements

Enterprise buyers, particularly in financial services, healthcare, critical infrastructure, and government, are now routinely including SBOM requirements in vendor onboarding questionnaires and procurement contracts. If you are selling B2B SaaS to regulated industries, expect to be asked for an SBOM within the next 12–18 months if you are not already.

ISO 27001 and SOC 2 Audit Expectations

While neither ISO 27001 nor SOC 2 explicitly mandates an SBOM by name, the controls they require make one a practical necessity. ISO 27001:2022 Annex A.8.8 requires management of technical vulnerabilities in software you use. SOC 2 CC9.2 covers vendor and supply chain risk. Auditors are increasingly asking for evidence of software component inventory as part of these controls.

SPDX vs CycloneDX, The Two Dominant Formats

Two formats have emerged as the industry standard for SBOMs. They serve overlapping but distinct purposes, and understanding the difference matters for choosing the right toolchain.

Attribute	SPDX	CycloneDX
Governing body	Linux Foundation / ISO (ISO 5962)	OWASP
Primary focus	Licence compliance & provenance	Security & vulnerability tracking
Formats supported	SPDX tag-value, JSON, YAML, XML, RDF	JSON, XML, Protobuf
VEX support	Limited	Native (Vulnerability Exploitability eXchange)
Best for	Open source licence management, legal teams	Security teams, vulnerability management, DevSecOps
Tooling	FOSSology, SPDX tools, Syft	Syft, cdxgen, Snyk, Dependency-Track
Recommended for	Software selling into legal-compliance-heavy markets	Most security-focused teams

✅ Which Should You Use?

For most security and compliance teams, CycloneDX is the right starting point. It has better tooling support for vulnerability tracking, native VEX (Vulnerability Exploitability eXchange) for communicating exploitability status, and is the format most commonly requested by enterprise security questionnaires. You can always generate both from the same tooling.

What a Good SBOM Actually Contains

The NTIA defines the minimum elements, but a production-grade SBOM goes further. Here is what each layer adds:

Level	What It Includes	Sufficient For
Minimum (NTIA)	Supplier, name, version, unique ID, dependency relationships, SBOM author, timestamp	Basic regulatory compliance
Standard	Above + licence info, cryptographic hash, download URL, known CVEs at time of generation	Licence compliance, vendor questionnaires
Comprehensive	Above + VEX statements, build environment, signing info, transitive dependencies, SBOM of SBOMs	ISO 27001, SOC 2, enterprise procurement, regulated industries

⚠️ Transitive Dependencies Are the Real Risk

Log4j was a transitive dependency for most affected organisations, a dependency of a dependency, not something teams had directly chosen. A baseline SBOM that only lists direct dependencies would not have caught it. Your SBOM must include the full dependency tree, not just the first level.

SBOM tools and software supply chain audit process — Generating and maintaining SBOMs has become significantly easier, most modern CI/CD pipelines can produce one automatically on every build with a single tool integration.

How to Generate Your First SBOM

The tooling has matured significantly. Generating an SBOM no longer requires specialist knowledge, for most stacks it is a single command.

🛠️ SBOM Generation, Step by Step

1️⃣

For Container Images, Syft

Syft is the easiest starting point. Install it and run: syft <image-name> -o cyclonedx-json > sbom.json. It scans the image layers and produces a CycloneDX SBOM covering all OS packages and application dependencies inside the container.

2️⃣

For Application Code, CycloneDX Plugins

CycloneDX provides language-native plugins: @cyclonedx/cyclonedx-npm for Node.js, cyclonedx-bom for Python, cyclonedx-maven-plugin for Java, cyclonedx-gomod for Go. Each reads your existing package manifest and outputs a standards-compliant SBOM.

3️⃣

Ingest Into a Tracking Tool, Dependency-Track

Generating an SBOM once is not enough. Dependency-Track (free, open source, OWASP) ingests your SBOM and continuously monitors it against the NVD, OSV, and GitHub Advisory databases, alerting you whenever a new CVE is published against any component you are using.

4️⃣

Automate in CI/CD

Add SBOM generation as a pipeline step so every build produces a fresh, versioned SBOM automatically. This means your SBOM always reflects the current state of your software, not a snapshot from six months ago. GitHub Actions, GitLab CI, and Jenkins all have native integrations.

5️⃣

Sign and Attest Your SBOMs

Use Sigstore/Cosign to cryptographically sign your SBOMs and container images. This provides proof that the SBOM was generated from your pipeline and has not been tampered with, increasingly required for enterprise vendor onboarding and US federal contracts.

How SBOMs Map to Your Compliance Frameworks

📋 Framework Mapping

ISO 27001:2022 Annex A.8.8, Management of Technical Vulnerabilities: An SBOM is the inventory that makes this control implementable at scale. Without knowing what components you are running, you cannot manage their vulnerabilities.

ISO 27001:2022 Annex A.15.1/15.2, Supplier Relationships: Requiring SBOMs from software vendors is a directly implementable control under supplier security agreements.

SOC 2 CC9.2, Vendor and Supply Chain Risk Management: An SBOM program demonstrates that you have a systematic approach to identifying and monitoring software supply chain risk.

SOC 2 CC7.1, Vulnerability Detection: Continuous SBOM monitoring via Dependency-Track directly produces the evidence auditors need for this control.

NIST CSF 2.0, ID.SC (Supply Chain Risk Management): SBOMs are explicitly referenced in NIST guidance as a mechanism for implementing supply chain risk management controls.

Common SBOM Mistakes to Avoid

Generating once and forgetting: An SBOM from six months ago is not a security tool, it is false confidence. SBOMs must be regenerated on every build and monitored continuously.
Covering only direct dependencies: Log4j was a transitive dependency. If your SBOM does not include the full dependency tree, it will not catch the next Log4Shell.
No VEX statements: Not every CVE in your SBOM represents a real risk. A CVE in a component you ship but do not execute is not exploitable. VEX (Vulnerability Exploitability eXchange) statements let you document which CVEs are not exploitable in your context, critical for reducing noise.
Not sharing with customers: An SBOM you keep internal provides you with visibility. An SBOM you share with customers provides them with transparency, and is increasingly what enterprise buyers are asking for before they sign.
Treating it as a compliance checkbox: The value of an SBOM is operational, not administrative. The organisations that benefit most are those that use it as a live tool in their vulnerability management process, not a document they attach to audit submissions.

Need Help Building Your SBOM Program?

SecComply helps organisations implement SBOM generation, continuous monitoring, and compliance mapping across ISO 27001, SOC 2, and the EU Cyber Resilience Act, as part of a complete supply chain security program.

Book a Free Consultation →

Frequently Asked Questions

An SBOM is a formal, machine-readable inventory of every component, library, dependency, and module in a software product, including open source packages, third-party libraries, and their known vulnerabilities. Think of it as the ingredient label for software. It tells you exactly what is inside your application, including the transitive dependencies you never consciously chose to include.

ISO 27001:2022 Annex A.8.8 (Management of Technical Vulnerabilities) and A.15.1 (Supplier Relationships) both implicitly require you to know what software components you are running and to track vulnerabilities in them. An SBOM is the practical mechanism to satisfy these controls at scale. Auditors are increasingly asking for evidence of software component inventory as part of these requirements.

SPDX (Software Package Data Exchange) is an ISO standard focused primarily on licence compliance and provenance. CycloneDX is an OWASP standard focused primarily on security, vulnerability tracking, VEX statements, and supply chain risk. For most security teams, CycloneDX is the right starting point. Both formats are widely supported and you can generate both from the same tooling.

US Executive Order 14028 mandated SBOMs for software sold to the US federal government. The EU Cyber Resilience Act requires SBOMs for products with digital elements sold in the EU. Enterprise buyers in financial services, healthcare, and critical infrastructure are increasingly requiring SBOMs in vendor onboarding. ISO 27001 and SOC 2 auditors are starting to ask for them as part of supply chain risk controls.

For container images, use Syft (free, open source), run syft <image-name> -o cyclonedx-json. For application code, use the CycloneDX language plugin for your stack (npm, pip, Maven, Go, .NET). For continuous monitoring, ingest the generated SBOM into Dependency-Track to get alerted whenever a new CVE is published against any component you are using.

Log4Shell (CVE-2021-44228) affected hundreds of thousands of applications that used Apache Log4j, most organisations had no idea they were using it because it was a transitive dependency (a dependency of a dependency). Organisations with SBOMs identified their exposure in minutes. Those without spent days or weeks auditing codebases manually. It remains the single most cited reason why SBOM adoption accelerated so rapidly after 2021.