CRA-Ready SBOMs: A Practical Blueprint for High-Quality Generation

<p>As one of the co-leaders of the CISA working group on <a href="https://github.com/SBOM-Community/SBOM-Generation">SBOM Generation</a> and a contributor to its accompanying <a href="https://github.com/SBOM-Community/SBOM-Generation/blob/main/whitepaper/Draft-SBOM-Generation-White-Paper-Feb-25-2025.pdf">whitepaper</a>, I’ve spent the last few years deep in the trenches of SBOM creation. With the EU’s Cyber Resilience Act (CRA) raising the bar for software transparency and lifecycle security, the need for <em>reliable, high-quality</em> SBOMs has never been more urgent.</p> <p>In this talk, I’ll present a practical blueprint for SBOM generation that goes beyond minimal compliance and helps projects prepare for the expectations emerging from the CRA and similar regulatory frameworks. The model breaks SBOM creation into four clear phases:</p> <ul> <li><strong>Authoring</strong> – producing the initial SBOM from a lockfile</li> <li><strong>Augmenting</strong> – resolving gaps and adding metadata to meet increasingly strict transparency requirements that SBOM generation tools can't do</li> <li><strong>Enriching</strong> – improve the quality of the SBOM using open data sets</li> <li><strong>Signing</strong> – provide attestation to ensure the SBOM can be trusted</li> </ul> <p>I’ll discuss the technical considerations behind each phase, common pitfalls, and how these practices help projects avoid the compliance gaps many teams are now discovering as the CRA timeline approaches.</p> <p>To ground everything in reality, I’ll demo a fully open-source workflow built with the <a href="https://github.com/sbomify/github-action/">sbomify action</a>, a tool from <a href="https://sbomify.com">sbomify</a> that runs in GitHub Actions or any CI environment, enabling CRA-ready SBOM pipelines without proprietary tooling.</p>