Skip to content

Add SBOM to releases#60

Merged
David Elner (delner) merged 1 commit into
mainfrom
release_sbom
Jul 6, 2026
Merged

Add SBOM to releases#60
David Elner (delner) merged 1 commit into
mainfrom
release_sbom

Conversation

@delner

@delner David Elner (delner) commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

This adds a signed Software Bill of Materials (SBOM) alongside the package for every repository that uses the shared release actions to release.

Why this is a win

A user that installs one of our packages (deployed through these release actions), with zero extra work on our side can:

  • Trust it: cryptographically verify the package they installed was really built by Braintrust's official release pipeline at a known commit (not tampered with or typosquatted).
  • Inventory it: get a machine-readable list of the package's dependencies to scan for vulnerabilities, feed into their own supply-chain tooling, and satisfy their compliance/SBOM requirements.

SBOM is particularly important to users who are subjected to more strigent security protocols as a part of certain certification programs (e.g. FedRAMP)

What each release now produces

  • A CycloneDX SBOM (dependency inventory), signed as a GitHub attestation bound to the exact published artifact, and attached to the GitHub Release.
  • Build provenance: proof of who/what/where it was built (npm and PyPI use their native provenance; Ruby gets a signed SLSA attestation, since RubyGems has none).
  • Everything is signed via Sigstore and bound to the published artifact's digest.

How its used

  • Verify authenticity: npm audit signatures (JS), PyPI's provenance (Python), or gh attestation verify <artifact> --repo braintrustdata/<sdk> (Ruby).
  • Use the SBOM: grab it (GitHub Release asset, or from the attestation) and import it into Dependency-Track, scan it with Grype/Trivy, or merge it into their own product's SBOM.

Worth knowing

  • On by default as a part of shared release actions (set sbom: false to opt out).
  • SBOMs come from first-party/official tooling only: pnpm sbom, OWASP cyclonedx-py, and Bundler; signing uses GitHub's official actions/attest. No third-party convenience actions.
  • Attest-before-publish: a failed attestation can never leave a published-but-unsigned package.
  • The pre-approval validate step also generates the SBOM, so tooling problems surface before a release is approved.

Adopting repos: the publish job needs attestations: write (and JS needs pnpm ≥ 11.8). Canonical templates already wire this up; see README.md.

@delner David Elner (delner) merged commit 6b4c01c into main Jul 6, 2026
25 checks passed
@delner David Elner (delner) deleted the release_sbom branch July 6, 2026 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants