SBOM Attestation

Jan 1, 0001

Definition

SBOM Attestation refers to the process of verifying and documenting the authenticity and integrity of a Software Bill of Materials (SBOM). An SBOM is a comprehensive inventory of all components, libraries, and dependencies within a software application. Attestation ensures that the SBOM is accurate, complete, and has not been tampered with, providing assurance to stakeholders about the software’s security posture and compliance with industry standards.

Secure Settings Example

apiVersion: v1
kind: ConfigMap
metadata:
  name: sbom-attestation
data:
  attestation-policy: |
    {
      "version": "1.0",
      "attestation": {
        "signingKey": "path/to/public/key.pem",
        "verification": {
          "requireSignature": true,
          "trustedSources": [
            "https://trusted-source.example.com"
          ]
        }
      }
    }

Insecure Settings Example

apiVersion: v1
kind: ConfigMap
metadata:
  name: sbom-attestation
data:
  attestation-policy: |
    {
      "version": "1.0",
      "attestation": {
        "signingKey": "",
        "verification": {
          "requireSignature": false,
          "trustedSources": []
        }
      }
    }

SBOM Attestation

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter