As applications grow more complex, they incorporate many third-party libraries and open-source components, often making it challenging to fully understand and manage the security risks they introduce. To address these concerns, application security engineers are increasingly turning to tools that provide greater visibility and control over software components.

Ensuring the security and compliance of modern software systems is a critical task for application security engineers. One powerful tool in achieving these goals is the Software Bill of Materials (SBOM). An SBOM provides a comprehensive inventory of all components within a software application, offering transparency and insight into its composition. When generated at build time, an SBOM becomes even more valuable, enhancing operational efficiency and trust.

This guide will explore how to generate build-time SBOMs using Cyclone-DX plugin and how to integrate them with the Invicti ASPM, empowering organizations to bolster their security posture and meet compliance requirements effectively.

Benefits of SBOM at Build Time

• Enhanced Transparency and Vulnerability Management

An SBOM provides a clear, real-time inventory of all software components, enabling organizations to identify vulnerabilities quickly and apply security measures proactively. When generated at build time, the SBOM captures the exact composition of each software version, ensuring up-to-date visibility into dependencies and their security status.

• Regulatory Compliance

With industry standards and regulations like GDPR, HIPAA, and mandates from governments worldwide now requiring SBOMs, especially in critical sectors, the ability to generate SBOMs at build-time ensures that organizations are always compliant. Each build’s SBOM reflects current software requirements, supporting audit readiness and satisfying regulatory requirements without the need for manual updates.

• Supply Chain Security

By creating an SBOM at build time, security teams can accurately assess and verify each software component’s origin and trustworthiness, including third-party and open-source libraries. This immediate insight reduces supply chain risks and helps detect potential security threats early in the development process.

• Incident Response and Forensics

An SBOM generated during the build process provides a precise component record, helping incident response teams quickly identify affected dependencies and trace vulnerabilities in the event of a breach. This rapid visibility into software composition enables faster threat containment and streamlines recovery efforts.

• Software Maintenance and Lifecycle Management

Software components can become outdated over time, and an SBOM tracks these components, supporting their timely replacement with secure, updated versions. By generating SBOMs at each build, teams can also monitor compatibility and prevent conflicts, ensuring that all dependencies are current and functional throughout the software lifecycle.

• Increased Accountability and Customer Confidence

Providing customers with an SBOM shows a commitment to security, transparency, and best practices, strengthening trust. It also reduces organizational liability by demonstrating proactive management of security, compliance, and quality, which is especially valuable in regulatory and contractual scrutiny.

Generating SBOMs at build time creates a solid foundation for security management, compliance, and software quality by offering real-time transparency into components and dependencies, which is critical for both ongoing security and regulatory alignment.

Integrating Cyclone-DX with Invicti ASPM

In the following example, I will show you step-by-step how you can generate SBOMs using CycloneDX, an open-source and ECMA certified standard maintained by OWASP, and the Invicti ASPM:

For this example, I am using a buildable dotnet application on my local drive, which I cloned from the following repository: https://github.com/luispereira2024/aspnetcore-realworld-example-app.git

Using the dotnet cyclonedx plugin (https://github.com/CycloneDX/cyclonedx-dotnet), we can generate the SBOM for the given project running the following command, which generates an XML BOM file.

dotnet CycloneDX Conduit.sln -o .


To import the SBOM into Invicti ASPM, it is necessary to use a JSON BOM instead of XML though. To do this, we execute the following command in order to get the bom.json file.

dotnet CycloneDX -j Conduit.sln -o .


You can also use docker.

docker run --rm -v $PWD:/src cyclonedx/cyclonedx-dotnet /src/Conduit.sln -rs -o /src -j


Import the SBOM into the Invicti ASPM using KDT

KDT is an open-source command line client for Invicti ASPM. With the following KDT command we can now import the results onto our Invicti ASPM project.

kdt sbom import -p aspnetcore-example-ap -b master -f bom.json -v


How to automatically generate SBOMs in your CI/CD pipeline

You can also generate SBOMs directly in your pipelines with CycloneDX and Invicti ASPM. The following example is using GitHub Actions to demonstrate how this works.

The example workflow enables you to generate an SBOM with CycloneDX and seamlessly import it right into Invicti ASPM. Make sure to configure the necessary secrets in your GitHub repository:

name: Build, Test, and Generate SBOM

on: [push]

jobs:
 build:
   runs-on: ubuntu-latest

   steps:
   - uses: actions/checkout@v4
   - uses: actions/setup-dotnet@v4
     with:
       dotnet-version: 8.0.204

   # Restore, build, and test .NET project
   - run: |
       dotnet restore build/build.csproj
       dotnet build build/build.csproj
       dotnet test build/build.csproj
     
   # Install CycloneDX CLI for SBOM generation
   - name: Install CycloneDX CLI
     run: dotnet tool install --global CycloneDX

   # Install Invicti ASPM CLI for SBOM import
   - name: Install Kondukto CLI
     run: |
       curl -sSL https://cli.kondukto.io | sudo sh

   # Generate SBOM with CycloneDX
   - name: Generate SBOM
     run: |
       dotnet CycloneDX Conduit.sln -j -o out
       ls -al
     shell: bash

   # Import SBOM into Invicti ASPM
   - name: Import SBOM to Kondukto
     env:
       KONDUKTO_HOST: https://konduktolab.kondukto.io
       KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_SECRETS1 }}
     run: |
       kdt sbom import -p aspnetcore-example-ap -f out/bom.json -b main


Once the workflow completes, the generated SBOM will be automatically imported into your Invicti ASPM account. You can then view the SBOM details under the “Project > SBOM” section in the Invicti ASPM.