How To Generate and Audit SBOM In a CI/CD Pipeline

<!-- snip -->
<plugins>
  <plugin>
     <groupId>org.cyclonedx</groupId>
     <artifactId>cyclonedx-maven-plugin</artifactId>
     <version>2.6.2</version>
     <executions>
        <execution>
           <phase>package</phase>
           <goals>
              <goal>makeAggregateBom</goal>
           </goals>
        </execution>
     </executions>
     <configuration>
         <outputFormat>Json</outputFormat>
     </configuration>
  </plugin>
</plugins>
<!-- snip -->

target
|--- bom.json
|--- bom.xml
|--- classes
|    |--- hello
|         |--- HelloWorld.class
|-------- generated-sources
|         |--- annotations
|--- gs-maven-0.1.0.jar
|--- maven-archiver
|    |--- pom.properties 
|--- maven-status
     |--- maven-compiler-plugin
          |--- compile
               |--- default-compile
                    |--- createdFiles.lst
                    |--- inputFiles.lst

<!-- snip -->
<plugins>
  <plugin>
     <dependency>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <version>7.1.0</version>
        <configuration>
          <format>JSON</format>
          <cveStartYear>2010</cveStartYear>
        </configuration>
        <type>maven-plugin</type>
        <executions>
           <execution>
              <goals>
                 <goal>check</goal>
              </goals>
           </execution>
        </executions>
     </dependency>
  </plugin>
</plugins>
<!-- snip -->

target
|--- dependency-check.json
|--- classes
|    |--- hello
|         |--- HelloWorld.class
|-------- generated-sources
|         |--- annotations
|--- gs-maven-0.1.0.jar
|--- maven-archiver
|    |--- pom.properties 
|--- maven-status
     |--- maven-compiler-plugin
          |--- compile
               |--- default-compile
                    |--- createdFiles.lst
                    |--- inputFiles.lst

pipeline {
  agent {
     docker {
        image 'maven:3-alpine'
        args '-v /root/.m2:/root/.m2'
     }
  }
  stages {
     stage("SCM Checkout") {
        steps {
           // clone the repository
           git 'https://github.com/CSPF-Founder/JavaVulnerableLab.git'
        }
     }
     stage("Build and Initiate SCA & SBOM Scans") {
        steps {
           // Build the application and run Dependency-Check-Maven & CodeDX SBOM plugins
           sh "mvn -B -DskipTests clean verify"
           // Import the findings to Kondukto
           sh "/usr/local/bin/kdt --config=/etc/kondukto.yaml sbom import -p JavaVulnerableLab -f target/bom.json -b main"
        }
     }
     stage("Publish") {
        steps {
           // publish the app to the prod
           sh "echo 'Publish'"
        }
     }
  } // end of stages
}

Get A Demo

GH Actions changed-files supply chain attack: What happened?

Cenk Kalpakoğlu - 18 Mar 2025

Customizable Roles and Permission in ASPM Platforms

Can Taylan Bilgin - 27 Feb 2025

The Advantage of Using VEX SBOMs

Ben Strozykowski - 18 Feb 2025

Generating build-time SBOMs with CycloneDX and Kondukto

Luis Pereira - 20 Jan 2025

Okta vulnerability explained (bcrypt auth bypass)

Cenk Kalpakoğlu - 05 Nov 2024

eBPF Vulnerabilities: Ecosystem and Security Model

Andreas Wiese - 31 Oct 2024

Ruby affected by CVE-2024-45409

Kondukto Security Team - 09 Oct 2024

Secure CodingAppSec

Linux Kernel effected by CVE-2023-2163

Kondukto Security Team - 04 Oct 2024

ASPMDevSecOps

Empowering Developers in AppSec: Scaling and Metrics

Andreas Wiese - 19 Sep 2024

DevSecOpsAppSecASPM

Protecting APIs of Modern Applications

Kondukto Security Team - 13 Sep 2024

DevSecOpsAppSec

Empowering Developers in AppSec: Triage and Collaboration

Andreas Wiese - 09 Sep 2024

DevSecOpsSecure CodingAppSec

Enhancing Vulnerability Management with Threat Intelligence

Andreas Wiese - 20 Aug 2024

AppSecUnified Vulnerability Management

Enhancing AppSec through Fuzzing in CI/CD Pipelines

Kondukto Security Team - 01 Aug 2024

Secure CodingAppSec

Git SCM affected by CVE-2024-32002

Ali Köse - 20 Jun 2024

Unified Vulnerability ManagementDevSecOps

Bring-Your-Own-Data (BYOD) to the Kondukto Platform

Cenk Kalpakoğlu - 04 Jun 2024

Google Cloud affected by CVE-2021-30476

Kondukto Security Team - 13 May 2024

DevSecOpsUnified Vulnerability Management

kntrl integrates Open Policy Agent

Cenk Kalpakoğlu - 09 May 2024

Supply Chain SecurityDevSecOpskntrl

4 Ways to Improve AppSec Accountability

Andreas Wiese - 02 May 2024

Secure CodingSASTAppSec

Securing CI/CD Runners through eBPF

Cenk Kalpakoğlu - 01 Apr 2024

AppSecSupply Chain Securitykntrl

Introducing kntrl: Enhancing CI/CD Security with eBPF

Cenk Kalpakoğlu - 14 Mar 2024

kntrlSupply Chain SecurityDevSecOps

Supply Chain Security Snags

Andreas Wiese - 07 Mar 2024

Supply Chain SecuritySBOMDevSecOps

Microsoft Azure CLI affected by CVE-2022-39327

Kondukto Security Team - 28 Feb 2024

Unified Vulnerability ManagementAppSecDevSecOps

Splunk Enterprise affected by CVE-2023-40598

Kondukto Security Team - 05 Feb 2024

Unified Vulnerability ManagementAppSecDevSecOps

Running DAST in CI/CD for Regression Testing

Andreas Wiese - 23 Jan 2024

DASTDevSecOpsAppSec

Why SBOM Matters infographic

Andreas Wiese - 15 Jan 2024

Supply Chain SecuritySBOM

Create SBOM on Gradle with the CycloneDX Plugin

Alperen Örsdemir - 10 Jan 2024

ASPMSupply Chain SecuritySBOM

Enhancing Security with eBPF: Use Cases Explored

Cenk Kalpakoğlu - 28 Dec 2023

DevSecOpsContainer Security

A Look into Modern Security Orchestration

Can Taylan Bilgin - 26 Dec 2023

ASPMAppSecDevSecOps

How Malicious Code Enters Applications

Andreas Wiese - 07 Dec 2023

Supply Chain SecurityAppSecASPM

ASPM and Security Testing Orchestration

Can Taylan Bilgin - 28 Nov 2023

Supply Chain SecuritySASTASPM

Container Security: A Quick Overview

Andreas Wiese - 21 Nov 2023

Container SecurityDevSecOpsAppSec

Unveiling Java Library Vulnerabilities

Alperen Örsdemir - 31 Oct 2023

Supply Chain SecurityAppSec

Get Management Buy-in with AppSec Metrics

Cenk Kalpakoğlu - 17 Oct 2023

Secure CodingDevSecOpsAppSec

How to Streamline Vulnerability Management

Can Taylan Bilgin - 27 Sep 2023

ASPMDevSecOps

AI Remediation: A massive time-saver

Cenk Kalpakoğlu - 07 Sep 2023

Machine LearningSecure CodingAppSec

How to Shift-Left Better with Git Hooks

Cenk Kalpakoğlu - 22 Aug 2023

DevSecOpsAppSec

A Guide to Becoming a Product Security Engineer

Cenk Kalpakoğlu - 10 Jul 2023

AppSec

Top 10 Reasons To Implement An ASPM Right Now!

Can Taylan Bilgin - 30 May 2023

DevSecOpsAppSec

Demo Hub launched for Kondukto Technology Partners

Andreas Wiese - 25 Apr 2023

PartnershipsAppSecASPM

Winning Management Support as an AppSec Leader

Can Taylan Bilgin - 18 Apr 2023

DevSecOpsAppSec

How To Get Developer Buy-In For AppSec Programs

Can Taylan Bilgin - 08 Mar 2023

AppSecDevSecOps

How to integrate continuous API fuzzing into the CI/CD?

Cenk Kalpakoğlu - 17 Jan 2023

DevSecOpsAppSec

OpenAI (ChatGPT) Vulnerability Remediation Concept Work

Suphi Cankurt - 13 Dec 2022

Secure CodingAppSec

OWASP ASVS with your security testing tools

Suphi Cankurt - 28 Nov 2022

ASVSAppSec

Application Security Engineer: Salary, Skills, Requirements

Suphi Cankurt - 10 Oct 2022

AppSec

The Economics of ASPM

Can Taylan Bilgin - 27 Sep 2022

AppSec

Announcing Our Seed Round

Can Taylan Bilgin - 05 Sep 2022

What is Application Security Orchestration and Correlation?

Can Taylan Bilgin - 30 Aug 2022

AppSec

Dockerfile Security Best Practices with Semgrep

Cenk Kalpakoğlu - 25 Aug 2022

5 Essential Skills to Become a DevSecOps Engineer

Barış Ekin Yıldırım - 22 Jul 2022

DevSecOps

3 Ways Using ASVS Can Help Your Organization

Can Taylan Bilgin - 01 Jul 2022

ASVSDevSecOpsAppSec

How to boost SAST performance?

Cenk Kalpakoğlu - 20 Jun 2022

SASTDevSecOpsAppSec

Insecure Deserialization

Barış Ekin Yıldırım - 07 Jun 2022

Secure CodingAppSecInsecure Deserialization

Software Bill of Materials(SBOM) 101

Barış Ekin Yıldırım - 03 May 2022

Supply Chain SecuritySBOMDevSecOps

5 Common Mistakes in DevSecOps

Cenk Kalpakoğlu - 13 Apr 2022

DevSecOpsAppSec

5 Use Cases of Kondukto CLI in CI/CD pipelines

Can Taylan Bilgin - 24 Jan 2022

DevSecOpsAppSec

Vulnerability Management In Your GitFlow

Can Taylan Bilgin - 16 Sep 2021

Secure CodingAppSec

Security Training for Developers with Avatao

Can Taylan Bilgin - 05 Aug 2021

Secure CodingAppSec

The Essence of DevSecOps: Aligning Multiple Teams

Can Taylan Bilgin - 01 May 2021

DevSecOpsAppSec

How to Get the Most Out of Security Training for Developers

Can Taylan Bilgin - 23 Feb 2021

Secure CodingAppSec

Defensive Programming Tips-2: LDAP Injection

Cenk Kalpakoğlu - 21 Jan 2021

AppSecSecure Coding

4 Key Benefits of Application Security Orchestration

Can Taylan Bilgin - 30 Sep 2020

AppSec

Cybersecurity As a Marketing Activity

Can Taylan Bilgin - 25 Aug 2020

AppSec

Defensive Programming Tips-1: Bad URL Handling Patterns

Cenk Kalpakoğlu - 20 Jul 2020

AppSec

Software Developers : Scapegoats For Security Vulnerabilities

Can Taylan Bilgin - 18 Jun 2020

DevSecOps

5 Circular Phases of Sec in DevSecOps

Can Taylan Bilgin - 26 May 2020

DevSecOps

Keep Applications Secure While Keeping Your Distance

Can Taylan Bilgin - 08 Apr 2020

AppSec

DevOps vs DevSecOps Differences

Can Taylan Bilgin - 20 Feb 2020

DevSecOps

Secure Software Development Life Cycle: Beginners Guide

Can Taylan Bilgin - 23 Jan 2020

DevSecOps

How To Improve AppSec Posture For Starters

Can Taylan Bilgin - 29 Nov 2019

AppSec

Why Care About Application Security At All?

Can Taylan Bilgin - 14 Oct 2019

AppSec

Damage Limitation Strategies for Developers

Cenk Kalpakoğlu - 19 Sep 2019

Secure Coding

Automating Issue Assignment In Vulnerability Management

Kondukto - 01 Jul 2019

AppSec

What Is The Optimal Security Scan Time For My Applications?

Can Taylan Bilgin - 22 May 2019

AppSec

Keep An Eye On Your Remediation Performance

Can Taylan Bilgin - 11 Apr 2019

AppSec

Benefits of Using SAST And DAST In Tandem

Kondukto - 29 Jan 2019

SASTAppSec

Why Should “Heap Inspection” Not Be Marked As False Positive?

Cenk Kalpakoğlu - 09 Nov 2018

Secure CodingAppSec

Beginning AppSec Training Program for Developers

Cenk Kalpakoğlu - 10 Oct 2018

Secure Coding