Supply Chain & SBOM Skill
Assesses software supply chain security: SBOM generation, provenance, attestation, dependency pinning, vulnerability scanning, and signed artifacts. Aligned to: DoD Enterprise DevSecOps Fundamentals (Play 7), FedRAMP SA-12/SI-7, NIST 800-53, Executive Order 14028 (SBOM).
When to Use
- Federal checklist (supply chain domain)
- GitOps audit (security scanning and supply chain capability)
- Repo assessment (security category)
- Pre-production readiness for federal/DoD workloads
Evaluation Domains
| Domain | What to Assess | Evidence |
|---|
| SBOM generation | CycloneDX, SPDX; build-time generation; included in artifacts | syft, cyclonedx-npm, bom tool output |
| Dependency pinning |