If you sell to enterprise — yes; many large customers now demand SBOMs as part of vendor due diligence. For B2C startups, less urgent; still good practice.

CycloneDX is more common for application security; SPDX is older and stronger on license metadata. Both are accepted; tools generate either. CycloneDX is my default.

Software Bill of Materials (SBOM) — A Practical Guide for 2026

A Software Bill of Materials (SBOM) lists every component in your software. By 2026 it’s standard for enterprise vendor onboarding. This post is how to generate, store, and use one.

What’s in an SBOM

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "components": [
    {
      "type": "library",
      "name": "fastapi",
      "version": "0.115.0",
      "purl": "pkg:pypi/[email protected]",
      "licenses": [{ "license": { "id": "MIT" } }]
    },
    ...
  ]
}

Every dependency, transitive or direct, with version, license, and a Package URL (purl).

Generation

# Source code-based SBOM
syft -o cyclonedx-json . > sbom.cdx.json

# Container image SBOM
syft -o cyclonedx-json my-image:1.4.0 > image-sbom.cdx.json

# From package manager
pip-audit --format=cyclonedx-json > sbom.cdx.json
cargo cyclonedx
npm sbom --sbom-format=cyclonedx

syft (Anchore) is the swiss army knife. Works on source, containers, archives.

Vulnerability scanning

An SBOM by itself isn’t useful. Scan it:

grype sbom:./sbom.cdx.json --fail-on high

Outputs every CVE per component. CI fails on high severity.

- run: syft -o cyclonedx-json . > sbom.cdx.json
- run: grype sbom:./sbom.cdx.json --fail-on high
- uses: actions/upload-artifact@v4
  with: { name: sbom, path: sbom.cdx.json }

Storing SBOMs

Per-release. Persisted somewhere customers / auditors can access.

Dependency-Track (OWASP): self-hosted, tracks SBOMs over time, alerts on new CVEs.
GitHub Dependency Graph + Dependabot: free for public repos.
Snyk / Sonatype / JFrog Xray: commercial, polished.

Attestations

Pair the SBOM with a signature (Sigstore ):

cosign attest --predicate sbom.cdx.json --type cyclonedx my-image:1.4.0

Now the SBOM is cryptographically tied to the image. Customers verify both.

Vendor security questionnaires

Common asks in 2026:

Provide SBOM for the latest release.
Demonstrate vuln scanning in CI.
Sign images.
SLA for patching critical CVEs.

Having the pipeline in place answers all of these. See Software Supply Chain Security .

Continuous monitoring

A new CVE is announced. You want to know which of your shipped versions are affected.

Dependency-Track subscribes to NVD; flags affected projects.
GitHub Security Advisories: auto-alerts on Dependabot-tracked deps.
Custom CI: re-scan SBOMs nightly with grype using a fresh CVE database.

License compliance

The SBOM lists licenses. Some are incompatible with your distribution model:

AGPL pulled in transitively → all your code may need to be AGPL.
LGPL with static linking → may require modifications to be redistributable.
Proprietary licenses → audit.

Tools (FOSSA, Black Duck, license-checker) flag risky licenses. Cheap to add to CI.

What I’d ship today

For a 2026 product:

syft in CI generates SBOM per build.
grype --fail-on high blocks bad PRs.
Dependency-Track stores and monitors SBOMs.
Cosign attestation ties SBOM to image.
License check flags risky licenses.
Customer-facing endpoint: GET /security/sbom/v1.4.0 returns the latest SBOM.

A week of work. Pays back at the first vendor security review.

Read this next

If you want my SBOM + attestation CI workflow, it’s at rajpoot.dev .

Building something AI-, backend-, or data-heavy and want a second pair of eyes? I do consulting and freelance work — see my projects and ways to reach me at rajpoot.dev .

What’s in an SBOM#

Generation#

Vulnerability scanning#

Storing SBOMs#

Attestations#

Vendor security questionnaires#

Continuous monitoring#

License compliance#

What I’d ship today#

Read this next#