Abstract

Nowadays, many developers rely on third-party and open-source libraries that integrate directly into production software. However, it is critical to understand what is being integrated and who maintains it. The hidden security and governance risks within unmanaged dependencies continue to expose organizations to software supply chain attacks and compliance violations. Software Bills of Materials (SBOMs) in formats such as SPDX and CycloneDX — provide visibility into third-party components. This paper discusses how SBOMs can be automatically generated from development code and integrated into CI/CD pipelines for continuous risk assessment. The model proposed in this study ensures that every building produces an auditable SBOM, allowing the security team to continuously review, mitigate, or apply compensating controls for identified risks.

References

• Palo Alto Networks, “NPM Supply-Chain Attack,” Cloud Security Blog, 2025.
• SolarWinds, “An Investigative Update of the Cyberattack,” Technical Report, 2025.
• Nemani, S., “Secure OSS Compliance Release Automation Pipeline,” GitHub Repository, 2025.
• Anchore, “How Syft Scans Software to Generate SBOMs,” Technical White Paper, 2024.
• Camp, L., “Towards a More Secure Ecosystem: Implications for Cybersecurity Labels and SBOMs,” ResearchGate, 2023.
• Springer, S., “The Impact of SBOM Generators on Vulnerability Assessment in Python,” Springer LNCS, 2024.
• OWASP Foundation, “CycloneDX Authoritative Guide to SBOM,” 2024.
• Cybersecurity and Infrastructure Security Agency (CISA), “Widespread Supply Chain Compromise Impacting NPM Ecosystem,” Alert Bulletin, 2025.
• Center for Internet Security (CIS), “SolarWinds Incident Overview,” 2025.
• Secure by Design, “CI/CD Hardening Guide,” Implementation Handbook, 2024.