Devii · DevOps · 2026-05-25 · 8 min read
SBOMs And Supply Chain Security: SPDX, CycloneDX, And SLSA Basics
Machine-readable bill of materials formats and provenance attestations teams export in 2026.
A **Software Bill of Materials (SBOM)** lists components, versions, and licenses in a machine-readable format. **SPDX** and **CycloneDX** are widely used standards referenced by U.S. executive guidance and industry frameworks.
**SLSA** (Supply-chain Levels for Software Artifacts) defines provenance levels from scripted builds to hardened hermetic builds. GitHub Actions, GitLab, and cloud build services can emit attestations compatible with SLSA generators.
SBOMs enable faster CVE response: map advisories to affected services without manual spreadsheet audits. They do not replace patching; they accelerate identification.
Store SBOMs per release artifact in your artifact registry. Read `slsa.dev` and NTIA minimum elements guidance when responding to customer security questionnaires.