What is a CBOM and how does sbomify support it?

TL;DR

A CBOM is the cryptographic sibling of an SBOM: it lists the algorithms, keys, certificates, and protocols your software uses. sbomify ingests and auto-classifies CBOMs, shows a crypto inventory with a post-quantum readiness view, and shares them through your Trust Center.

What a CBOM is

A Cryptography Bill of Materials (CBOM) is a CycloneDX BOM whose components include cryptographic assets: the algorithms, keys, certificates, protocols, and crypto libraries your software uses. Where an SBOM answers “what packages are in this product,” a CBOM answers “what cryptography does this product depend on.”

That question is becoming urgent. Migrating to post-quantum cryptography starts with knowing where the quantum-vulnerable algorithms (RSA, ECDSA, classic Diffie-Hellman) live in your stack, and regulators are moving in the same direction: crypto agility features in NIST’s post-quantum guidance and in EU CRA discussions alike. You cannot migrate what you have not inventoried.

What sbomify does with CBOMs

  • Auto-detection. Upload a CycloneDX document containing cryptographic assets and sbomify automatically classifies it as a CBOM, no special flag needed. You can also be explicit with BOM_TYPE: cbom in sbomify-action, which uploads the document verbatim.
  • Crypto-asset inventory. The document detail page renders an inventory of the cryptographic assets found: algorithms, key sizes, certificates, and protocols.
  • Post-quantum readiness. The PQC readiness assessment plugin classifies each asset against NIST guidance and gives your component a post-quantum posture view, so you can see at a glance which algorithms are quantum-vulnerable and where.
  • Trust Center distribution. CBOMs appear on your public release pages next to SBOMs and VEX, with the same access controls, and are exposed through the Transparency Exchange API as a supported artifact type.

How do I generate a CBOM?

CBOM generation tools are still an emerging space. cbomkit and IBM’s CBOM tooling can scan source code for cryptographic usage, and CycloneDX 1.6+ has first-class support for cryptographic asset types. However you produce it, sbomify handles storage, classification, analysis, and distribution:

- name: Upload CBOM
  uses: sbomify/sbomify-action@master
  env:
    COMPONENT_ID: 'my-component-id'
    SBOM_FILE: 'my-product.cbom.json'
    BOM_TYPE: cbom
    UPLOAD: true

Further reading