STP
SBOM Observer/

Producer Workflows

Generating, enriching, validating, and distributing SBOMs and VEX documents

Software producers create transparency artifacts documenting what they've built and shipped. These workflows guide the complete lifecycle from generation through distribution and ongoing maintenance.

Core Producer Workflows

Generate SBOMs

Creating SBOMs from software builds, whether through automated tools or manual processes. Covers both greenfield implementations with modern CI/CD and legacy systems requiring special approaches.

Read Generate SBOMs →

Key decisions: Tool selection, automation level, quality thresholds

Enrich with Metadata

Adding provenance, pedigree, and contextual information beyond basic component listings. Transforms minimum-viable SBOMs into comprehensive transparency artifacts.

Read Enrich with Metadata →

Key decisions: Required metadata fields, evidence collection, manual vs automated enrichment

Validate and Sign

Ensuring SBOM quality through automated validation and establishing authenticity through cryptographic signing.

Read Validate and Sign →

Key decisions: Validation criteria, signing infrastructure, quality gates

Distribute to Customers

Publishing SBOMs through appropriate channels with proper access controls and discovery mechanisms.

Read Distribute to Customers →

Key decisions: Distribution channels, access control model, retention policies

Publish VEX Documents

Creating and updating VEX documents that provide vulnerability exploitability context for your products.

Read Publish VEX Documents →

Key decisions: Publication triggers, status determination, update frequency

Handle Vulnerability Disclosures

Responding to newly discovered vulnerabilities through systematic analysis, VEX publication, and customer communication.

Read Handle Vulnerability Disclosures →

Key decisions: Response timelines, analysis workflow, communication templates

Workflow Integration

These workflows interconnect rather than operating independently. SBOM generation triggers validation. Validation gates distribution. Distribution enables VEX correlation. Vulnerability disclosure drives VEX updates.

Understanding these connections prevents gaps where workflows don't properly hand off to successors.

Maturity Progression

Level 1 (Basic) implementations execute these workflows manually or semi-automatically. Level 2 (Advanced) implementations automate comprehensively with policy-driven workflows and minimal human intervention.

Most organizations begin with manual generation and basic distribution, progressively automating and adding sophistication as capability matures.

Next Steps

Edit on GitHub

On this page

Core Producer WorkflowsGenerate SBOMsEnrich with MetadataValidate and SignDistribute to CustomersPublish VEX DocumentsHandle Vulnerability DisclosuresWorkflow IntegrationMaturity ProgressionNext Steps