SBOM & License Review Checklist

Oct 14, 2025

Inputs

  • SBOM (artifacts/sbom.json and/or sbom-image.json)
  • License scan summary (artifacts/license-scan.txt)
  • Release candidate image reference

Steps

  1. SBOM presence — SBOM exists for source and image; includes versions and package types.
  2. Top dependencies — Spot-check top 10 packages: versions pinned, no obvious abandonware.
  3. Vuln cross-check — Ensure Trivy High/Critical addressed or time-boxed via exception.
  4. License policy — Confirm no DISALLOWED licenses; attach approve/deny notes if any edge cases.
  5. Provenance (if used) — Verify Cosign signature bundle present and verifies.
  6. Document — Reviewer, date, outcome, links to PRs/exceptions.

Release gate (pass if…)

  • SBOM present and parsable
  • No DISALLOWED licenses
  • No unaddressed High/Critical vulns in RC

Reviewer: ____________ Date: ____________ Outcome: Pass / Block / Defer