Generating build-time SBOMs with CycloneDX and Kondukto
As applications grow more complex, they incorporate many third-party libraries and open-source components, often making it challenging to fully understand and manage the security risks they introduce. To address these concerns, application security engineers are increasingly turning to tools that provide greater visibility and control over software components.
Ensuring the security and compliance of modern software systems is a critical task for application security engineers. One powerful tool in achieving these goals is the Software Bill of Materials (SBOM). An SBOM provides a comprehensive inventory of all components within a software application, offering transparency and insight into its composition. When generated at build time, an SBOM becomes even more valuable, enhancing operational efficiency and trust.
This guide will explore how to generate build-time SBOMs using Cyclone-DX plugin and how to integrate them with the Kondukto Platform, empowering organizations to bolster their security posture and meet compliance requirements effectively.
Benefits of SBOM at Build Time
- Enhanced Transparency and Vulnerability Management
An SBOM provides a clear, real-time inventory of all software components, enabling organizations to identify vulnerabilities quickly and apply security measures proactively. When generated at build time, the SBOM captures the exact composition of each software version, ensuring up-to-date visibility into dependencies and their security status.
- Regulatory Compliance
With industry standards and regulations like GDPR, HIPAA, and mandates from governments worldwide now requiring SBOMs, especially in critical sectors, the ability to generate SBOMs at build-time ensures that organizations are always compliant. Each build’s SBOM reflects current software requirements, supporting audit readiness and satisfying regulatory requirements without the need for manual updates.
- Supply Chain Security
By creating an SBOM at build time, security teams can accurately assess and verify each software component’s origin and trustworthiness, including third-party and open-source libraries. This immediate insight reduces supply chain risks and helps detect potential security threats early in the development process.
- Incident Response and Forensics
An SBOM generated during the build process provides a precise component record, helping incident response teams quickly identify affected dependencies and trace vulnerabilities in the event of a breach. This rapid visibility into software composition enables faster threat containment and streamlines recovery efforts.
- Software Maintenance and Lifecycle Management
Software components can become outdated over time, and an SBOM tracks these components, supporting their timely replacement with secure, updated versions. By generating SBOMs at each build, teams can also monitor compatibility and prevent conflicts, ensuring that all dependencies are current and functional throughout the software lifecycle.
- Increased Accountability and Customer Confidence
Providing customers with an SBOM shows a commitment to security, transparency, and best practices, strengthening trust. It also reduces organizational liability by demonstrating proactive management of security, compliance, and quality, which is especially valuable in regulatory and contractual scrutiny.
Generating SBOMs at build time creates a solid foundation for security management, compliance, and software quality by offering real-time transparency into components and dependencies, which is critical for both ongoing security and regulatory alignment.
Integrating Cyclone-DX with Kondukto
In the following example, I will show you step-by-step how you can generate SBOMs using CycloneDX, an open-source and ECMA certified standard maintained by OWASP, and the Kondukto Platform:
For this example, I am using a buildable dotnet application on my local drive, which I cloned from the following repository: https://github.com/luispereira2024/aspnetcore-realworld-example-app.git
Using the dotnet cyclonedx plugin (https://github.com/CycloneDX/cyclonedx-dotnet), we can generate the SBOM for the given project running the following command, which generates an XML BOM file.
dotnet CycloneDX Conduit.sln -o .
To import the SBOM into Kondukto, it is necessary to use a JSON BOM instead of XML though. To do this, we execute the following command in order to get the bom.json file.
dotnet CycloneDX -j Conduit.sln -o .
You can also use docker.
docker run --rm -v $PWD:/src cyclonedx/cyclonedx-dotnet /src/Conduit.sln -rs -o /src -j
Import the SBOM into the Kondukto Platform using KDT
KDT is an open-source command line client for Kondukto. With the following KDT command we can now import the results onto our Kondukto project.
kdt sbom import -p aspnetcore-example-ap -b master -f bom.json -v
How to automatically generate SBOMs in your CI/CD pipeline
You can also generate SBOMs directly in your pipelines with CycloneDX and Kondukto. The following example is using GitHub Actions to demonstrate how this works.
The example workflow enables you to generate an SBOM with CycloneDX and seamlessly import it right into Kondukto. Make sure to configure the necessary secrets in your GitHub repository:
name: Build, Test, and Generate SBOM
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
dotnet-version: 8.0.204
# Restore, build, and test .NET project
- run: |
dotnet restore build/build.csproj
dotnet build build/build.csproj
dotnet test build/build.csproj
# Install CycloneDX CLI for SBOM generation
- name: Install CycloneDX CLI
run: dotnet tool install --global CycloneDX
# Install Kondukto CLI for SBOM import
- name: Install Kondukto CLI
run: |
curl -sSL https://cli.kondukto.io | sudo sh
# Generate SBOM with CycloneDX
- name: Generate SBOM
run: |
dotnet CycloneDX Conduit.sln -j -o out
ls -al
shell: bash
# Import SBOM into Kondukto
- name: Import SBOM to Kondukto
env:
KONDUKTO_HOST: https://konduktolab.kondukto.io
KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_SECRETS1 }}
run: |
kdt sbom import -p aspnetcore-example-ap -f out/bom.json -b main
Once the workflow completes, the generated SBOM will be automatically imported into your Kondukto Platform account. You can then view the SBOM details under the “Project > SBOM” section in the Kondukto Platform.
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30)){kind=logo}
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))