generated from coulomb/repo-seed
1.1 KiB
1.1 KiB
Pattern: SBOM-per-Release
Status: seed Readiness target: RL3 production Primary owners: artifact-store, product repos Genesis family: Supply chain
Problem
Teams cannot assess exposure, license risk, or incident impact if release components are not recorded.
Context
Use this pattern for containers, packages, product releases, platform images, and deployable artifacts.
Forces
- SBOM generation should be automated.
- SBOMs need to stay attached to release artifacts.
- Consumers need stable formats and storage.
- Vulnerability triage needs component evidence.
Solution
Generate a software bill of materials for each release artifact and store it with artifact metadata, provenance, signature, and deployment records.
Verification
- Each production release has an SBOM.
- SBOMs are stored with immutable artifact identity.
- Vulnerability scans can reference SBOM components.
- Release promotion checks require SBOM presence.
Related Patterns
- Supply-Chain Provenance.
- SLSA Build Provenance.
- Signed Container Images.
- Protected Main Branch.