skills/bagelhole/devops-security-agent-skills/sbom-supply-chain

sbom-supply-chain

SKILL.md

SBOM & Supply Chain Security

Improve release trust with reproducible metadata and verification gates.

When to Use This Skill

Use this skill when:

Producing SBOMs for container images or application builds
Verifying dependencies before deploy
Enforcing signed artifact and provenance policies
Preparing for SOC2, ISO 27001, or customer security reviews

Recommended Tooling

SBOM generation: Syft, CycloneDX tools
Vulnerability matching: Grype, Trivy
Signing and attestations: Cosign, Sigstore
Policy enforcement: OPA, Kyverno, admission controllers

Baseline Workflow

Generate SBOM in SPDX or CycloneDX format during CI builds.
Create provenance attestations for build steps and source commit.
Sign image digests and SBOM artifacts with keyless or managed keys.
Verify signatures and attestations before deployment.
Archive evidence for audits and incident response.

Example Commands

# Generate SBOM for an image
syft registry:ghcr.io/acme/api:1.2.3 -o cyclonedx-json > sbom.json

# Sign container image digest
cosign sign ghcr.io/acme/api@sha256:abc123...

# Attach SBOM attestation
cosign attest --predicate sbom.json --type cyclonedx ghcr.io/acme/api@sha256:abc123...

# Verify signatures
cosign verify ghcr.io/acme/api@sha256:abc123...

Related Skills

dependency-scanning - Library vulnerability triage
container-scanning - Container CVE scanning
policy-as-code - Policy enforcement

Weekly Installs

4

Repository

bagelhole/devop…t-skills

GitHub Stars

13

First Seen

14 days ago

Security Audits

Gen Agent Trust HubPass

Installed on

cline4

github-copilot4

codex4

kimi-cli4

gemini-cli4

cursor4