Skip to content
Latchkey

How to Generate an SBOM and Build Provenance in CI

A generated SBOM plus a signed provenance attestation lets downstream consumers verify what is in a build and how it was produced.

Supply-chain frameworks expect a software bill of materials and build provenance. This page generates a CycloneDX SBOM and a GitHub build provenance attestation. See the policy-as-code and vulnerability-gate pages for enforcement. This is educational guidance.

Steps

  • Generate a CycloneDX SBOM from the build.
  • Produce a build provenance attestation tied to the artifact digest.
  • Attach both to the release for downstream verification.

SBOM and attestation

.github/workflows/release.yml
permissions:
  id-token: write
  attestations: write
  contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx @cyclonedx/cyclonedx-npm --output-file sbom.json
      - uses: actions/attest-build-provenance@v1
        with:
          subject-path: dist/app.tgz
      - uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.json

Notes

  • The provenance attestation is signed and stored so consumers can verify build origin.
  • Feed the SBOM into a vulnerability gate to fail builds with known-vulnerable dependencies.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →