This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-sbom-per-release.md

44 lines
1.1 KiB
Markdown

# Pattern: SBOM-per-Release
Status: seed
Readiness target: RL3 production
Primary owners: artifact-store, product repos
Genesis family: Supply chain
## Problem
Teams cannot assess exposure, license risk, or incident impact if
release components are not recorded.
## Context
Use this pattern for containers, packages, product releases, platform
images, and deployable artifacts.
## Forces
- SBOM generation should be automated.
- SBOMs need to stay attached to release artifacts.
- Consumers need stable formats and storage.
- Vulnerability triage needs component evidence.
## Solution
Generate a software bill of materials for each release artifact and
store it with artifact metadata, provenance, signature, and deployment
records.
## Verification
- Each production release has an SBOM.
- SBOMs are stored with immutable artifact identity.
- Vulnerability scans can reference SBOM components.
- Release promotion checks require SBOM presence.
## Related Patterns
- Supply-Chain Provenance.
- SLSA Build Provenance.
- Signed Container Images.
- Protected Main Branch.