Implementing Software Bill of Materials (SBOM) in Enterprise CI/CD Pipelines
A practical guide for implementing SBOM generation, artifact signing, and provenance tracking in enterprise environments, aligned with Executive Order 14028 requirements. Introduction Executive Order 14028 (May 2021) mandates that federal agencies and their software suppliers implement software supply chain security measures, including: Software Bill of Materials (SBOM) generation Artifact signing and provenance verification Secure software development practices The urgency of these requirements was underscored by high-profile supply chain attacks: SolarWinds (2020): Compromised build system affected 18,000+ organizations including federal agencies Log4Shell (2021): CVE-2021-44228 exposed the challenge of identifying affected components across enterprise software portfolios Codecov (2021): CI/CD pipeline compromise demonstrated supply chain attack vectors This article provides a hands-on implementation guide based on real-world enterprise deployments in healthcare, financial services, and telecommunications sectors. ...