Solving SBOM Scrambling

Posted on by Nick Selby 4 mins read

Recently I did a podcast with Viktor Petersson, and we discussed his open source project, Sbomify. He has observed what I have about Software Bill of Materials (SBOM): they’re increasingly required for commercial due diligence, yet remain too hard for many companies to produce.

Unlike me, though, Viktor has done something to solve the problem.

The SBOM Problem Nobody Wants to Talk About

During customer or acquisition information security due diligence calls, I regularly witness this exchange:

Q: “Can you provide your SBOM?”

A: “Sure, uh… I’ll get that out and email it to you.”

Q: “OK, set my expectations as to when?”

A: “Uh, let me get back to you on that, probably not too long…”

I often tell CTOs and CEOs that when conducting due diligence, the time it takes to produce an SBOM is a telling indicator of development operations maturity. The more scrambling I see, the less mature I assume those operations are. I’m certain I’m not alone in this.

There’s a straightforward solution to this problem, and it’s free.

Conflict Statement

I have no financial interest in Sbomify.

Why SBOMs Still Create Problems

Many CTOs figure they can generate SBOMs through GitHub Actions. In practice, this means someone could theoretically set it up if they prioritized and maintained it.

Even in companies with more than 1,000 employees, SBOM generation often gets treated as a compliance checkbox, generated only on request or during audit prep after panicked emails from internal audit.

When companies aren’t regularly generating SBOMs, prospective customers requesting one find the engineering team either can’t locate the current version or has multiple versions scattered across repos.

One red flag for due diligence professionals, especially buy-side acquisition reviewers, comes when they review the SBOM and see open vulnerabilities in the production stack. It indicates poor practices: bad vulnerability and change management, manual processes, missing or ignored static application security testing.

With regulations like Executive Order 14028 and the EU Cyber Resilience Act making SBOMs mandatory, organizations need systematic processes rather than ad hoc approaches.

What Sbomify Does

Sbomify is a free, open source platform that automates SBOM management. It integrates with CI/CD pipelines on GitHub, GitLab, Bitbucket, Docker, and other platforms.

With each release, the latest SBOM automatically uploads to sbomify, providing stakeholders with current information.

The platform creates a trust center you can use on your website, providing a single source for SBOMs that customers, auditors, and partners access directly. Want an NDA signed before showing it? Have your web team put it behind an NDA form.

For complex software architectures, sbomify uses hierarchical grouping with products, projects, and components. Rather than flattening everything into one file that loses context, it maintains structure, letting you share individual component SBOMs, aggregate them into product-level SBOMs, or mix and match.

Common Objections

The most common pushback is that GitHub Actions already handles SBOM generation. Technically this is true, if you’ve configured it, maintained it, trained engineers on it, and solved the distribution problem.

Most organizations haven’t done all these things consistently. (“I’ll email it to you” signals you haven’t solved the distribution problem. CISA has a lot to say about this).

But even when you solve the sharing issue, there’s still this: it’s true that GitHub can produce SBOMs, but IMHO the ones that Sbomify produces are just better; see this project that seeks to help.

Sbomify is free and open source. You can self-host it for complete control over your data and infrastructure, or use the managed cloud service, free for one product including a trust center. There’s a premium hosted version for teams needing hosted private SBOMs and advanced features, plus an Enterprise version. Core functionality is free.

Sbomify supports both CycloneDX and System Package Data Exchange (SPDX) formats and integrates with analysis tools like Google OSV and Dependency Track.

Why This Matters

The alternative to systematic SBOM management is continuing to scramble during due diligence and manually distributing SBOMs.

Go to sbomify.com and test it free with one project. See whether automated SBOM generation and distribution work better than manual processes.

SBOM requirements are increasing through regulation and customer expectations. The question is whether you’ll implement a systematic process now or continue handling requests reactively.