This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-sbom-per-release.md

1.1 KiB

Pattern: SBOM-per-Release

Status: seed Readiness target: RL3 production Primary owners: artifact-store, product repos Genesis family: Supply chain

Problem

Teams cannot assess exposure, license risk, or incident impact if release components are not recorded.

Context

Use this pattern for containers, packages, product releases, platform images, and deployable artifacts.

Forces

  • SBOM generation should be automated.
  • SBOMs need to stay attached to release artifacts.
  • Consumers need stable formats and storage.
  • Vulnerability triage needs component evidence.

Solution

Generate a software bill of materials for each release artifact and store it with artifact metadata, provenance, signature, and deployment records.

Verification

  • Each production release has an SBOM.
  • SBOMs are stored with immutable artifact identity.
  • Vulnerability scans can reference SBOM components.
  • Release promotion checks require SBOM presence.
  • Supply-Chain Provenance.
  • SLSA Build Provenance.
  • Signed Container Images.
  • Protected Main Branch.