A software bill of materials (SBOM) is now table-stakes for supply-chain security, but bolting CycloneDX onto an already-slow CI\/CD is a sure way to spark dev revolt. This post shows how we generate, diff, sign, and publish SBOMs on every pull-request in < 90 seconds\u2014and prove it with real latency numbers from a Micro-GCC squad maintaining an 8-service Node + Go platform. Copy-paste GitHub Actions included.
<\/p>\n\n\n\n
Most teams produce a single SBOM artifact the night before release. That works\u2014until:<\/p>\n\n\n\n
Our rule: SBOMs should appear as fast as SAST warnings.<\/strong> That means every PR, every image tag, every release.<\/p>\n\n\n\n Anatomy of a 90-Second SBOM Job (320 w)<\/strong><\/p>\n\n\n\n yaml<\/p>\n\n\n\n CopyEdit<\/p>\n\n\n\n jobs:<\/p>\n\n\n\n sbom:<\/p>\n\n\n\n runs-on: ubuntu-latest<\/p>\n\n\n\n timeout-minutes: 5<\/p>\n\n\n\n steps:<\/p>\n\n\n\n – uses: actions\/checkout@v4<\/p>\n\n\n\n – name: Set up Node<\/p>\n\n\n\n uses: actions\/setup-node@v4<\/p>\n\n\n\n with: node-version: ’20’<\/p>\n\n\n\n – name: Install deps (cached)<\/p>\n\n\n\n uses: bahmutov\/npm-install@v1<\/p>\n\n\n\n – name: Generate CycloneDX JSON<\/p>\n\n\n\n run: npx @cyclonedx\/bom -o sbom.json<\/p>\n\n\n\n – name: Diff against main<\/p>\n\n\n\n id: diff<\/p>\n\n\n\n run: |<\/p>\n\n\n\n echo “::set-output name=changed::$(git diff origin\/main sbom.json | wc -l)”<\/p>\n\n\n\n – name: Upload to S3<\/p>\n\n\n\n if: steps.diff.outputs.changed != ‘0’<\/p>\n\n\n\n uses: jakejarvis\/s3-sync-action@v0.5.1<\/p>\n\n\n\n with:<\/p>\n\n\n\n args: –acl private –follow-symlinks –exact-timestamps<\/p>\n\n\n\n – name: Sign SBOM<\/p>\n\n\n\n run: cosign attach sbom \\<\/p>\n\n\n\n –sbom sbom.json \\<\/p>\n\n\n\n ghcr.io\/your\/repo:${{ github.sha }}<\/p>\n\n\n\n Latency breakdown (median):<\/strong><\/p>\n\n\n\n Tip \u278a<\/strong>\u2003Cache dependencies by checksum, not lockfile date; 95 % of PRs reuse cache. Signature standard:<\/strong> we use Sigstore\/cosign<\/strong>\u2014developers need zero key management<\/strong>; GitHub OIDC tokens issue short-lived certs.<\/p>\n\n\n\n Result: devs see SBOM as their<\/strong> tool, not security theater.<\/p>\n\n\n\n Poly-Repo:<\/strong> push each SBOM to an S3 bucket with path \/service\/<repo>\/<sha>\/sbom.json. A Glue crawler builds an Athena table for org-wide queries:<\/p>\n\n\n\n sql<\/p>\n\n\n\n CopyEdit<\/p>\n\n\n\n SELECT repo, COUNT(*) AS crits<\/p>\n\n\n\n FROM sbom_view<\/p>\n\n\n\n WHERE severity = ‘CRITICAL’<\/p>\n\n\n\n GROUP BY repo<\/p>\n\n\n\n ORDER BY crits DESC;<\/p>\n\n\n\n SAP ABAP:<\/strong> SAP CP orchestrates ABAP Git exports \u2192 Node job runs cyclonedx-bom<\/strong> on *.abapgit.xml. Attach SBOM as a transport artifact; ATC gate fails if missing.Edge case \u2013 binary blobs:<\/strong> use CycloneDX component-hash<\/em> to reference fixed firmware. Store blob SBOMs in S3; link hash in SBOM externalReferences.<\/p>\n\n\n\n Before SBOM pipeline<\/em>: release retro spent 4 hours on dependency review; Black-Friday freeze 3 days. PM\u2019s comment: \u201cWe found vulnerabilities while they were still headlines, not headlines about us.\u201d<\/em><\/p>\n\n\n\n A software bill of materials (SBOM) is now table-stakes for supply-chain security, but bolting CycloneDX onto an already-slow CI\/CD is a sure way to spark dev revolt. This post shows how we generate, diff, sign, and publish SBOMs on every pull-request in < 90 seconds\u2014and prove it with real latency numbers from a Micro-GCC squad […]<\/p>\n","protected":false},"author":1,"featured_media":20,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[11,10],"class_list":["post-18","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-shift-left-engineering","tag-ai","tag-chatgpt"],"_links":{"self":[{"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/posts\/18","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/comments?post=18"}],"version-history":[{"count":2,"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/posts\/18\/revisions"}],"predecessor-version":[{"id":34,"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/posts\/18\/revisions\/34"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/media\/20"}],"wp:attachment":[{"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/media?parent=18"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/categories?post=18"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/steadyrabbit.in\/blogs\/wp-json\/wp\/v2\/tags?post=18"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Step<\/strong><\/td> Time<\/strong><\/td><\/tr> npm-install (cache hit)<\/td> 25 s<\/td><\/tr> Generate JSON<\/td> 12 s<\/td><\/tr> Diff<\/td> 1 s<\/td><\/tr> S3 upload + Cosign sign<\/td> 45 s<\/td><\/tr> Total<\/strong><\/td> 83 s<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Tip \u278b<\/strong>\u2003Skip S3 upload when diff == 0 to save 40+ seconds on doc-only commits.<\/p>\n\n\n\nWhere to Store & Sign SBOMs<\/strong><\/h2>\n\n\n\n
Model<\/strong><\/td> Pros<\/strong><\/td> Cons<\/strong><\/td> When to Use<\/strong><\/td><\/tr> Container Attach (cosign)<\/strong><\/td> Co-located with image; verified by cosign verify<\/td> Only OCI images, not zip\/tar artifacts<\/td> Microservices on K8s<\/td><\/tr> Artifact Repo (S3 \/ MinIO)<\/strong><\/td> Works for any file; cheap<\/td> Requires URL mapping to version<\/td> Polyglot monorepos<\/td><\/tr> Git Tag<\/strong><\/td> Easy diffing<\/td> Bloats repo; binary in Git<\/td> Small libs or infra templates<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Making Developers Care <\/strong><\/h2>\n\n\n\n
\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n<\/ol>\n\n\n\nExtending to Poly-Repo & SAP Landscapes <\/strong><\/h2>\n\n\n\n
Real-World Impact (Case Snippet \u2013 Retail Client) (120 w)<\/strong><\/h2>\n\n\n\n
After<\/em>:<\/p>\n\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n<\/ul>\n\n\n\nCommon Pitfalls & Fixes (130 w)<\/strong><\/h2>\n\n\n\n
Pitfall<\/strong><\/td> Fix<\/strong><\/td><\/tr> \u201cCI time blew up\u201d<\/td> Cache deps; skip upload on no-diff; parallelise sign\/upload.<\/td><\/tr> \u201cSBOM invalid JSON\u201d<\/td> Use CycloneDX CLI \u2265 v3.7; run cyclonedx validate.<\/td><\/tr> \u201cToo many CVE false positives\u201d<\/td> Switch to OWASP dependency-track w\/ policy suppression YAML.<\/td><\/tr> \u201cPrivate NPM packages missing\u201d<\/td> Add GitHub PAT with module read scope; CycloneDX CLI resolves them.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Take-Home Checklist <\/strong><\/h2>\n\n\n\n
\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n