Between 2024 and 2025 the number of supply-chain attacks (npm, PyPI, Docker Hub) exploded. Knowing what your software contains — Software Bill of Materials (SBOM) — is now a required practice.
What an SBOM is
A structured inventory of a software's dependencies: direct and transitive libraries, versions, licences, hashes. Standard formats: SPDX and CycloneDX. For Node.js, generated by npm sbom, cdxgen, syft.
Three tools we use
1. Trivy
Open source by Aqua Security. Scans containers, code, IaC. We run it in CI on every PR. Great performance, manageable false positives. Free.
2. Snyk
Commercial, more comprehensive. Suggests auto-fixes (update PRs), better CVE database than Trivy on some languages. From $25/dev/month.
3. Dependabot / Renovate
For automated dependency updates. Renovate is more powerful (deep configurability, grouping); Dependabot is the GitHub default.
Pipeline we apply
- SBOM at build: each release produces an SPDX/CycloneDX, archived.
- Vulnerability scan: Trivy in CI, blocks merge if severity ≥ HIGH.
- Weekly updates: Renovate groups by area (security separate from semver-minor).
- Yearly audit: cumulative SBOM review to spot obsolete or unmaintained deps.
Compliance
NIS2 (for essential/important entities) and US Executive Order 14028 (federal suppliers) require SBOMs. For non-mandated Italian SMEs it is a best practice that reduces real risk and looks good to enterprise clients.
Lesson
SBOM without process is a useless file. Value is in continuous monitoring — not in a yearly one-off report. Start with Trivy in CI and grow from there.