The modern software development lifecycle is increasingly complex, relying on a vast network of third-party dependencies, container images, and automated workflows. With the rise in sophisticated supply chain attacks, such as the Log4j vulnerability and recent compromised build tools, ensuring the integrity of your artifacts is no longer optional—it is critical. GitHub Actions provides powerful primitives to help you build a "Trustworthy CI/CD" pipeline. In this guide, we will explore how to implement Software Bill of Materials (SBOM) generation and artifact signing within your GitHub Actions workflows to verify provenance and integrity.
The Importance of SBOMs in DevOps
A Software Bill of Materials (SBOM) is essentially an inventory of all the components, libraries, and dependencies included in your software. Think of it as a nutritional label for your application. When a new vulnerability emerges in a common library, an SBOM allows you to instantly identify if you are affected and which specific versions are in use. Without this visibility, remediating vulnerabilities becomes a game of guesswork that can leave your infrastructure exposed.
Generating an SBOM automatically as part of your build process ensures that you always have a current, accurate record of your dependencies. This is not just for security teams; it is essential for compliance frameworks like the NIST SSDF (Secure Software Development Framework) and executive directives requiring software transparency.
Generating SBOMs with GitHub Actions
GitHub offers a native tool for generating SBOMs: the anchore/sbom-action. This action uses Grype, a powerful vulnerability scanner, to create a CycloneDX or SPDX formatted SBOM. Integrating this into your workflow is straightforward. You simply need to specify the path to the directory containing your source code and choose your desired output format.
Below is a practical example of how to integrate SBOM generation into a standard build workflow:
name: Build and Generate SBOM
on:
push:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build Application
run: echo "Building application..."
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
path: ./my-app-directory
format: cyclonedx-json
artifact-name: my-app-sbom.cdx.json
output-file: sbom-output.json
In this snippet, the artifact-name parameter ensures the SBOM is uploaded as a build artifact, allowing you to download it from the GitHub Actions UI or reference it in subsequent steps.
Signing Artifacts for Integrity Verification
While an SBOM tells you what is inside your artifact, signing it tells you that it hasn't been tampered with since the build completed. By signing your artifacts, you create a cryptographic guarantee of integrity. If an attacker intercepts your build pipeline and replaces a binary with a malicious one, the signature verification will fail, alerting your deployment system to reject the compromised code.
For container images and generic files, sigstore is becoming the industry standard for signing. Sigstore provides a transparent, public, and open infrastructure for signing software supply chains. GitHub Actions has native support for signing artifacts using Sigstore, which eliminates the need to manage complex key storage infrastructure.
Here is how you can sign an artifact generated in a previous step:
- name: Sign Artifact
uses: sigstore/gh-action-sigstore-python@v2.1.1
with:
inputs: |
./my-app-binary
This step produces signature and certificate transparency (CT) log entries, creating an immutable record that links the specific commit hash to the binary output. This is a core requirement for achieving higher levels of the SLSA (Supply-chain Levels for Software Artifacts) framework.
Conclusion
Implementing SBOM generation and artifact signing in GitHub Actions transforms your CI/CD pipeline from a simple automation tool into a robust security boundary. These practices do not require a complete overhaul of your existing workflows; rather, they can be incrementally adopted to improve your security posture over time. By making transparency and integrity first-class citizens in your development process, you protect not only your own infrastructure but also the integrity of the broader ecosystem that relies on your software. Start integrating these controls today to stay ahead of emerging threats.