Cloudflare Cowboy
← All articles

Knowledge base

The SBOM lifecycle: before and after the document

Most coverage of SBOMs stops at "here is how you generate one." Generating it is the cheap part. This walks the full lifecycle, because the value is on either side of the document.

7 min read · Updated June 26, 2026

The SBOM is the middle, not the end

Producing an SBOM is a commoditized step: a free tool can do it in seconds. The work that reduces risk and satisfies an auditor sits on either side of it. Getting an accurate inventory out of your build comes first, and operationalizing that inventory on every release comes after. Treating the document as the goal is the most common mistake.

Before the SBOM: your code and CI

Three things have to happen before the document exists:

  • Pick dependencies. You add open-source packages. Each one pulls in its own, so a few direct choices become hundreds of transitive ones.
  • Build in CI. Every build resolves the full dependency graph. That is the moment the real, shipped component list actually exists.
  • Generate the SBOM. A scanner reads the build and writes the inventory, ideally on every build so it never goes stale. Free tools like cdxgen and Syft do this, and so do commercial platforms.

The SBOM itself

The output is one machine-readable inventory, in SPDX or CycloneDX. On its own it is just a list. Everything useful happens when something reads it.

After the SBOM: where the real work is

This is the half that reduces risk, and the honest reason organizations pay for a platform instead of a CLI:

  • Ingest and normalize. Bring SBOMs and scan results from every tool, team, and format into one consistent view.
  • Analyze. Match each component against vulnerability databases (NVD, OSV, GitHub Advisory) and detect its license. This is software composition analysis.
  • Prioritize. Rank findings by whether the vulnerable code is actually reachable and exploitable, so teams fix what matters instead of every alert.
  • Enforce policy. Turn rules like "no AGPL" or "no critical vulnerabilities" into a CI check that can fail the build.
  • Remediate. Upgrade, replace, or formally accept each issue, with guidance on the lowest-impact fix.
  • Report and attribute. Produce attribution and notice files plus the audit, due-diligence, and regulator-ready reports a customer or acquirer will accept.
  • Monitor continuously. New vulnerabilities are disclosed daily, so a clean SBOM can be unsafe tomorrow.

It is a loop, not a line

The last step feeds back into analysis. The same SBOM is re-checked as new vulnerabilities land, which is why a one-time scan is never enough. The useful question is not "do you have an SBOM," it is "is your SBOM current and acted on."

Where a platform like FOSSA fits

FOSSA is one of the platforms built for the back half of this lifecycle. Mapped onto the stages, its pieces line up like this:

  • Generate and ingest SBOMs in SPDX and CycloneDX.
  • Reachability-based software composition analysis for license and vulnerability detection.
  • Risk prioritization that weighs exploitability, upgrade impact, and effort.
  • Policy enforcement wired into CI.
  • Container and binary analysis, plus snippet detection and checks on AI-generated code (its AI Coding Guardrails).
  • Unified compliance and governance reporting for audits, due diligence, and supplier risk.

The point is not the brand. It is that the lifecycle has a commoditized, automatable middle and a hard, ongoing back half, and that back half is the actual product.

Frequently asked questions

What is the SBOM lifecycle?

The end-to-end process around a Software Bill of Materials: choosing dependencies and building in CI, generating the SBOM, then ingesting, analyzing, prioritizing, gating in CI, remediating, reporting, and continuously monitoring it as new vulnerabilities appear.

What happens before an SBOM is generated?

You select open-source dependencies and build the project in CI. The build resolves the full dependency graph, and the SBOM is generated from that build so it reflects what actually ships.

What happens after an SBOM is created?

It is analyzed against vulnerability and license data, findings are prioritized and enforced as a CI policy gate, issues are remediated, attribution and compliance reports are produced, and the inventory is monitored continuously.

Why is SBOM management a continuous process?

New vulnerabilities are disclosed every day, so an SBOM that was clean yesterday can be unsafe today without any code change. The same inventory has to be re-evaluated on an ongoing basis, which makes it a loop rather than a one-time task.

Where does a platform like FOSSA fit in the lifecycle?

Mainly the stages after the SBOM is created: ingesting SBOMs, reachability-based analysis of licenses and vulnerabilities, risk prioritization, CI policy enforcement, remediation guidance, attribution, and compliance and governance reporting.

Keep reading

What is an SBOM? A Software Bill of Materials is a complete, machine-readable inventory of everything your software is built from. Here is what that means, what goes in one, and why it has become a requirement rather than a nice-to-have. What is software composition analysis (SCA)? If an SBOM is the inventory of what your software is made of, software composition analysis is what reads that inventory and tells you where the risk is. Who needs an SBOM? The regulations driving demand A few years ago an SBOM was a nice-to-have. Now it is a procurement requirement in several major markets. Here is who is mandating them and when. How to implement FOSSA: a setup and CI-gating checklist Standing up software composition analysis is less about the scan and more about the gate. This walks the full path on a real repository: connect, read the first scan, set policy, and wire CI so a bad dependency cannot be merged. Every step here was run on this site.

Sources

Part of the software supply-chain field notes on this site. Written by Antoni K Pestka.