Is this limited to .NET projects?

While it contains specific examples for .NET, the core principles of SBOM management and the CycloneDX/SPDX standards apply to all software ecosystems and languages.

How does this help with regulatory compliance?

It provides templates and processes to meet requirements like US Executive Order 14028 and the EU Cyber Resilience Act (CRA) regarding software transparency and component disclosure.

What is a VEX document and why is it included?

A Vulnerability Exploitability eXchange (VEX) document allows you to clarify if a specific CVE actually affects your product, helping you communicate security status to customers and reduce false positives in scanners.

What formats does the SBOM Management skill support?

It primarily supports CycloneDX (recommended for security) and SPDX (standard for license compliance), along with guidance for SWID tags for asset management.

Can I integrate this into my build pipeline?

Yes, the skill includes specific implementation patterns for .NET (using the CycloneDX tool) and GitHub Actions to automate SBOM generation during the release process.

SBOM & Supply Chain Security

Name: SBOM & Supply Chain Security
Author: melodic-software

bymelodic-software

•

보안 및 테스팅

Generates and manages Software Bill of Materials (SBOM) to track dependencies, enhance supply chain security, and ensure regulatory compliance.

The SBOM Management skill provides comprehensive guidance for creating and maintaining machine-readable inventories of software components using industry standards like CycloneDX and SPDX. It enables developers to implement automated SBOM generation within CI/CD pipelines, manage vulnerability disclosures through VEX (Vulnerability Exploitability eXchange), and adhere to security frameworks like SLSA. Whether responding to customer requests or meeting federal requirements like Executive Order 14028, this skill helps teams secure their software supply chain and proactively identify risks within their dependency graph.

주요 기능

01Vulnerability Exploitability eXchange (VEX) documentation and tracking

02CI/CD integration for GitHub Actions and container security

03Automated SBOM generation for .NET and multi-language projects

04Support for CycloneDX and SPDX industry-standard formats

05Supply-chain Levels for Software Artifacts (SLSA) implementation guidance

0612 GitHub stars

사용 사례

01Meeting US Executive Order 14028 or EU CRA regulatory compliance requirements

02Tracking and auditing third-party library dependencies for security vulnerabilities

03Generating signed software attestations and provenance for enterprise releases

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add melodic-software/claude-code-plugins sbom-management

For use in Claude.ai and ChatGPT

Download Skill