Stats
Actions
Tags
From prodsec-skills
Generates SBOMs (SPDX/CycloneDX) for AI software releases and guides supply chain security practices including provenance attestation, package signing, and vulnerability scanning.
How this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:sbom-provenanceThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
All releases of AI software MUST include a Software Bill of Materials (SBOM) to provide transparency about the components and dependencies included in the software.
All releases of AI software MUST include a Software Bill of Materials (SBOM) to provide transparency about the components and dependencies included in the software.
| Component | Details |
|---|---|
| Direct dependencies | All libraries and packages directly used |
| Transitive dependencies | Dependencies of dependencies |
| Versions | Exact versions of all components |
| Licenses | License information for each component |
| Hashes | Cryptographic hashes for integrity verification |
| Supplier information | Who provides each component |
| Format | Description |
|---|---|
| SPDX | ISO standard (ISO/IEC 5962:2021); widely supported |
| CycloneDX | OWASP standard; strong security focus |
# Generate SBOM for a container image (CycloneDX)
syft registry.example.com/mcp-server:v1.0.0 -o cyclonedx-json > sbom.json
# Generate SBOM for a Python project (SPDX)
syft dir:. -o spdx-json > sbom.spdx.json
Beyond the SBOM, generate build provenance that attests:
SLSA (Supply Chain Levels for Software Artifacts) framework provides a maturity model for provenance.
When consuming or publishing packages through package managers (NPM, NuGet, Maven, pip, etc.):
dotnet list package --vulnerable)npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsGenerates and manages SBOMs in CycloneDX/SPDX formats, tracks vulnerabilities, and supports supply chain security for releases and regulatory compliance.
Generates SBOMs (SPDX/CycloneDX) and build provenance (SLSA) for dependency tracking and build integrity verification. Useful for vulnerability response, compliance (US EO 14028, EU CRA), and supply chain security.
Designs software supply chain security controls including SBOM generation, artifact signing, dependency management, and build pipeline integrity per NIST SP 800-161r1 and SLSA.