As one of the co-leaders of the CISA working group on SBOM Generation and a contributor to its accompanying whitepaper, I’ve spent the last few years deep in the trenches of SBOM creation. With the EU’s Cyber Resilience Act (CRA) raising the bar for software transparency and lifecycle security, the need for reliable, high-quality SBOMs has never been more urgent.
In this talk, I’ll present a practical blueprint for SBOM generation that goes beyond minimal compliance and helps projects prepare for the expectations emerging from the CRA and similar regulatory frameworks. The model breaks SBOM creation into four clear phases:
I’ll discuss the technical considerations behind each phase, common pitfalls, and how these practices help projects avoid the compliance gaps many teams are now discovering as the CRA timeline approaches.
To ground everything in reality, I’ll demo a fully open-source workflow built with the sbomify action, a tool from sbomify that runs in GitHub Actions or any CI environment, enabling CRA-ready SBOM pipelines without proprietary tooling.