Skip to content
Latchkey

What Is an SBOM (Software Bill of Materials)?

A software bill of materials (SBOM) is a formal, machine-readable list of every component, library, and dependency contained in a software artifact, along with versions and relationships. Common formats include SPDX and CycloneDX. SBOMs let teams quickly answer "are we affected?" when a new vulnerability is disclosed.

Why it matters

When a vulnerability like Log4Shell appears, the first question is which builds include the affected component. Without an SBOM that answer takes days of manual auditing. Generating an SBOM during CI makes the inventory authoritative and instantly queryable.

Related concepts

  • SPDX and CycloneDX are standard SBOM formats
  • Transitive dependencies must be included, not just direct ones
  • Pairs with provenance to describe both contents and origin

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →