How to Generate an SBOM and Build Provenance in CI
A generated SBOM plus a signed provenance attestation lets downstream consumers verify what is in a build and how it was produced.
Supply-chain frameworks expect a software bill of materials and build provenance. This page generates a CycloneDX SBOM and a GitHub build provenance attestation. See the policy-as-code and vulnerability-gate pages for enforcement. This is educational guidance.
Steps
- Generate a CycloneDX SBOM from the build.
- Produce a build provenance attestation tied to the artifact digest.
- Attach both to the release for downstream verification.
SBOM and attestation
.github/workflows/release.yml
permissions:
id-token: write
attestations: write
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npx @cyclonedx/cyclonedx-npm --output-file sbom.json
- uses: actions/attest-build-provenance@v1
with:
subject-path: dist/app.tgz
- uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.jsonNotes
- The provenance attestation is signed and stored so consumers can verify build origin.
- Feed the SBOM into a vulnerability gate to fail builds with known-vulnerable dependencies.
Related guides
How to Add Vulnerability Gates to CIFail a GitHub Actions build on high or critical vulnerabilities with Trivy, a common SOC 2 and PCI expectatio…
How to Require Signed Commits in CIRequire signed commits with a GitHub ruleset and verify signatures in CI, so every change in the audit trail…
How to Produce Reproducible Builds as EvidenceMake CI builds reproducible in GitHub Actions with pinned toolchains and SOURCE_DATE_EPOCH, then verify by re…