Stats
Actions
Tags
From compliance-planning
Generates and manages SBOMs in CycloneDX/SPDX formats, tracks vulnerabilities, and supports supply chain security for releases and regulatory compliance.
How this skill is triggered — by the user, by Claude, or both
Slash command
/compliance-planning:sbom-managementThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Comprehensive guidance for Software Bill of Materials creation, maintenance, and supply chain security.
Comprehensive guidance for Software Bill of Materials creation, maintenance, and supply chain security.
A Software Bill of Materials is a formal, machine-readable inventory of software components and dependencies, their relationships, and associated metadata.
Your Application
├── Dependency A (v1.2.3) → Transitive Dep X
├── Dependency B (v2.0.0) → Transitive Dep Y, Z
├── Dependency C (v3.1.0)
└── Direct code components
Required elements per NTIA SBOM guidelines:
| Element | Description | Example |
|---|---|---|
| Supplier Name | Entity that creates/maintains | "Microsoft" |
| Component Name | Designation of component | "System.Text.Json" |
| Version | Version identifier | "8.0.0" |
| Other Unique Identifiers | Additional IDs | PURL, CPE |
| Dependency Relationship | Upstream/downstream | "depends-on" |
| Author of SBOM Data | Who created SBOM | "Contoso Inc" |
| Timestamp | When SBOM created | "2025-01-15T10:30:00Z" |
| Format | Strengths | Use Case |
|---|---|---|
| CycloneDX | Security-focused, VEX support | Vulnerability management |
| SPDX | License-focused, ISO standard | License compliance |
| SWID | Software identification | Asset management |
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"metadata": {
"timestamp": "2025-01-15T10:30:00Z",
"tools": [
{
"vendor": "CycloneDX",
"name": "cyclonedx-dotnet",
"version": "3.0.0"
}
],
"component": {
"type": "application",
"name": "MyApplication",
"version": "1.0.0"
}
},
"components": [
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"name": "Newtonsoft.Json",
"version": "13.0.3",
"purl": "pkg:nuget/[email protected]",
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"hashes": [
{
"alg": "SHA-256",
"content": "a5c9a4e..."
}
]
}
],
"dependencies": [
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": [
"pkg:nuget/[email protected]"
]
}
]
}
application - Standalone application
framework - Software framework
library - Software library
container - Container image
operating-system
device - Hardware device
firmware - Device firmware
file - Arbitrary file
machine-learning-model
data - Data assets
# Install the tool
dotnet tool install --global CycloneDX
# Generate SBOM for solution
dotnet CycloneDX MyApp.sln -o sbom.json -j
# Include dev dependencies
dotnet CycloneDX MyApp.sln -o sbom.json -j --include-dev
# Recursive for all projects
dotnet CycloneDX . -o sbom.json -j -r
<!-- Add to Directory.Build.props -->
<PropertyGroup>
<GenerateSBOM>true</GenerateSBOM>
<SBOMFormat>CycloneDX</SBOMFormat>
</PropertyGroup>
<!-- MSBuild target -->
<Target Name="GenerateSBOM" AfterTargets="Build" Condition="'$(GenerateSBOM)'=='true'">
<Exec Command="dotnet CycloneDX $(MSBuildProjectFullPath) -o $(OutputPath)sbom.json -j" />
</Target>
using CycloneDX.Models;
public class SbomGenerator
{
public Bom GenerateSbom(Project project, IEnumerable<PackageReference> packages)
{
var bom = new Bom
{
Version = 1,
SerialNumber = $"urn:uuid:{Guid.NewGuid()}",
Metadata = new Metadata
{
Timestamp = DateTime.UtcNow,
Component = new Component
{
Type = Component.Classification.Application,
Name = project.Name,
Version = project.Version
}
},
Components = new List<Component>()
};
foreach (var pkg in packages)
{
bom.Components.Add(new Component
{
Type = Component.Classification.Library,
BomRef = $"pkg:nuget/{pkg.Id}@{pkg.Version}",
Name = pkg.Id,
Version = pkg.Version,
Purl = $"pkg:nuget/{pkg.Id}@{pkg.Version}",
Licenses = pkg.Licenses?.Select(l => new LicenseChoice
{
License = new License { Id = l }
}).ToList()
});
}
return bom;
}
}
VEX documents state whether vulnerabilities apply to your product:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"vulnerabilities": [
{
"id": "CVE-2023-12345",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-12345"
},
"ratings": [
{
"severity": "high",
"score": 7.5,
"method": "CVSSv3"
}
],
"analysis": {
"state": "not_affected",
"justification": "code_not_reachable",
"detail": "Vulnerable code path not used in our implementation"
},
"affects": [
{
"ref": "pkg:nuget/[email protected]"
}
]
}
]
}
| State | Meaning |
|---|---|
exploitable | Vulnerability is exploitable |
in_triage | Currently investigating |
not_affected | Not vulnerable |
resolved | Fixed in current version |
public class VulnerabilityTracker
{
private readonly IVulnerabilityDatabase _vulnDb;
private readonly ISbomRepository _sbomRepo;
public async Task<VulnerabilityReport> ScanSbom(
string sbomPath,
CancellationToken ct)
{
var sbom = await _sbomRepo.Load(sbomPath, ct);
var report = new VulnerabilityReport
{
SbomSerialNumber = sbom.SerialNumber,
ScanTimestamp = DateTimeOffset.UtcNow
};
foreach (var component in sbom.Components)
{
var vulns = await _vulnDb.GetVulnerabilities(
component.Purl,
ct);
foreach (var vuln in vulns)
{
report.Vulnerabilities.Add(new VulnerabilityFinding
{
ComponentRef = component.BomRef,
ComponentName = component.Name,
ComponentVersion = component.Version,
CveId = vuln.Id,
Severity = vuln.Severity,
CvssScore = vuln.CvssScore,
Description = vuln.Description,
FixedInVersion = vuln.FixedInVersion,
VexStatus = DetermineVexStatus(component, vuln)
});
}
}
return report;
}
private VexStatus DetermineVexStatus(Component component, Vulnerability vuln)
{
// Check if we have an existing VEX determination
// Otherwise mark as in_triage
return VexStatus.InTriage;
}
}
| Level | Requirements |
|---|---|
| SLSA 1 | Build process documented, provenance generated |
| SLSA 2 | Version control, hosted build service |
| SLSA 3 | Hardened builds, provenance verified |
| SLSA 4 | Two-person review, hermetic builds |
public class PackageIntegrityVerifier
{
public async Task<VerificationResult> VerifyPackage(
PackageReference package,
CancellationToken ct)
{
var result = new VerificationResult { Package = package };
// Check package signature
var signature = await GetPackageSignature(package, ct);
if (signature != null)
{
result.IsSigned = true;
result.SignatureValid = await VerifySignature(signature, ct);
result.SignerCertificate = signature.Certificate;
}
// Verify hash against known-good sources
var packageHash = await ComputePackageHash(package, ct);
var expectedHash = await GetExpectedHash(package, ct);
result.HashMatch = packageHash == expectedHash;
// Check for known vulnerabilities
result.Vulnerabilities = await ScanForVulnerabilities(package, ct);
// Check package age and maintenance status
result.LastUpdated = await GetLastUpdateDate(package, ct);
result.IsDeprecated = await CheckDeprecationStatus(package, ct);
return result;
}
}
<!-- Enable package lock file for reproducible builds -->
<PropertyGroup>
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
<RestoreLockedMode Condition="'$(CI)' == 'true'">true</RestoreLockedMode>
</PropertyGroup>
name: Generate SBOM
on:
release:
types: [published]
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '10.0.x'
- name: Install CycloneDX
run: dotnet tool install --global CycloneDX
- name: Generate SBOM
run: |
dotnet CycloneDX MySolution.sln \
-o sbom.json \
-j \
--set-version ${{ github.event.release.tag_name }}
- name: Sign SBOM
run: |
# Sign with cosign or similar
cosign sign-blob --key ${{ secrets.SIGNING_KEY }} sbom.json
- name: Upload SBOM to Release
uses: actions/upload-release-asset@v1
with:
upload_url: ${{ github.event.release.upload_url }}
asset_path: ./sbom.json
asset_name: sbom.json
asset_content_type: application/json
- name: Scan for vulnerabilities
run: |
grype sbom:sbom.json --fail-on high
- name: Generate SBOM Attestation
uses: actions/attest-sbom@v1
with:
subject-path: './bin/MyApp.dll'
sbom-path: './sbom.json'
| Channel | Format | Audience |
|---|---|---|
| Release assets | JSON/XML | Developers, security teams |
| API endpoint | JSON | Automated systems |
| Documentation | Human-readable | Auditors, customers |
| Container labels | Reference | Container runtime |
# Include SBOM in container
LABEL org.opencontainers.image.sbom="sbom.json"
COPY sbom.json /app/sbom.json
# Or generate at build time
FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
RUN dotnet tool install --global CycloneDX
RUN dotnet CycloneDX /src/MyApp.csproj -o /app/sbom.json -j
Requirements for software sold to US government:
Upcoming requirements:
license-compliance for license obligationssecurity-frameworks for supply chain securityai-governance for ML model SBOMsnpx claudepluginhub melodic-software/claude-code-plugins --plugin compliance-planningGenerates Software Bill of Materials (SBOM) listing direct and transitive dependencies for Node.js, Python, Rust, Go, Java, PHP projects. Outputs CycloneDX or SPDX formats for CRA compliance and supply chain security.
Generates SBOMs (SPDX/CycloneDX) and build provenance (SLSA) for dependency tracking and build integrity verification. Useful for vulnerability response, compliance (US EO 14028, EU CRA), and supply chain security.
Generates SBOMs (SPDX/CycloneDX) for AI software releases and guides supply chain security practices including provenance attestation, package signing, and vulnerability scanning.