SBOM (Software Bill of Materials)
Machine-readable inventory of every software component (and its version) in a build. Formats: CycloneDX (OWASP) and SPDX (Linux Foundation). EU Cyber Resilience Act, EU Machinery Regulation 2027, and US Executive Order 14028 all require SBOMs for certain product classes.
Why It Matters
SBOMs let regulators and customers verify which dependencies were used in a shipped product without re-building from source. Critical for vulnerability response and compliance reporting.
How Roboticks Implements It
syft is bundled in paid tiers and generates a CycloneDX SBOM as part of the test-run pipeline. The SBOM lands in the evidence pack alongside test results, SARIF findings, and the requirement matrix. SPDX is also supported as an alternative output format.