---
name: supply-chain-security-sbom
description: Manage software supply chain security including Software Bill of Materials (SBOM) generation, dependency vulnerability management, third-party risk assessment, secure software development practices, and supply chain attack prevention. Use when generating and managing SBOMs, auditing third-party dependencies, implementing supply chain security controls, responding to dependency vulnerabilities (like Log4Shell), assessing vendor security posture, or implementing SLSF (Secure Software Development Framework) requirements. Triggers on phrases like "supply chain security", "SBOM", "software bill of materials", "dependency vulnerability", "third-party risk", "software supply chain", "secure SDLC", "OSS security", "dependency audit", "vulnerable dependency", "SLSA", "software artifacts", "code signing".
---

# Supply Chain Security & SBOM Management

Comprehensive software supply chain security program covering Software Bill of Materials (SBOM) generation and management, dependency vulnerability tracking, third-party risk assessment, and secure software development lifecycle practices.

## Workflow

1. Establish supply chain security policy: define requirements for SBOM generation, dependency management, third-party vendor assessment, code signing, and artifact integrity verification; align with NTCS (National Cybersecurity Strategy) and SLSF (Secure Software Development Framework).
2. Implement SBOM generation: automate SBOM creation in CI/CD pipeline; select SBOM format (SPDX 2.3, CycloneDX 1.5);