SBOM Observer/Scale SBOM

About

What the Scale SBOM framework is, who it is for and who maintains it

What is this framework?

Scale SBOM is a free, open source operational framework for software transparency. It turns SBOM and VEX standards into guidance that engineering, security and procurement teams can act on.

Why does it exist?

Standards like CycloneDX and SPDX define how to structure transparency artifacts. They do not cover how to embed SBOM generation into a release pipeline, deliver artifacts to customers or evaluate what suppliers provide. Scale SBOM adds the operational guidance, content quality expectations and maturity assessment that standards leave out.

Who is it for?

  • Producers. Software vendors and development teams that build and ship software. Producers generate SBOMs, sign them and deliver transparency artifacts to their customers. See the Producer guide.
  • Consumers. Organizations that procure and operate software they did not build. Consumers request SBOMs from suppliers to gain visibility into components they have no source access to. See the Consumer guide.
  • Explorers. Newcomers learning what SBOM and VEX are and why they matter. Start with the Explorer guide.

Maintainers

This project is maintained by SBOM Observer.

Sponsors

Co-funded by Sweden's National Coordination Centre for Research and Innovation in Cybersecurity (NCC-SE) and the Swedish Civil Defence and Resilience Agency (MCF).

License

Available under the MIT License.

Edit on GitHub

External Resources

Curated index of authoritative documents for software transparency work

On this page

What is this framework?Why does it exist?Who is it for?MaintainersSponsorsLicense