We had a vendor security review today and they asked one question that caught us off guard:
“Can you share the SBOM for your application?”
We do vulnerability scans, and we track dependencies in Continuous Integration, but we’ve never actually produced an SBOM as a deliverable.
What exactly counts as an SBOM, and what are people expecting when they ask for it?
17 Views
SBOM (Software Bill of Materials) is basically a structured inventory of what your software is made of.
It lists the components your app includes, like open-source libraries, third-party packages, and sometimes even OS-level dependencies.
When someone asks for an SBOM, they usually want something they can use to answer:
It’s less about scanning results and more about transparency.
The easiest way to understand why SBOM matters is: it saves you during fire drills.
When something like Log4j happens, the first question isn’t “how do we patch?”
It’s “where are we using it?”
Without an SBOM you end up chasing answers across repos, containers, build logs, and random spreadsheets.
With an SBOM, you can quickly check whether a service includes the affected component and version.
Got it. So, the SBOM isn’t the same as a vulnerability report, it’s more like the “contents list” for a release.
If we generate it, what format do security teams usually accept?
Most teams expect standard formats like SPDX or CycloneDX.
Generate it per build or release, store it somewhere searchable, and tie it to the artifact version.
That way when someone asks “SBOM for v1.8.2”, you’re not rebuilding history. You just pull it and share.
Don't have an account? Sign up
