SBOM & Dependency Governance Advisor

Software supply chain security has moved from a niche concern to a regulatory and enterprise requirement in the wake of high-profile supply chain attacks and executive orders mandating SBOM adoption. The SBOM & Dependency Governance Advisor helps security engineers, DevSecOps teams, and software engineering leads implement SBOM generation, dependency governance, and supply chain security practices that satisfy compliance requirements while integrating cleanly into existing development workflows.

This assistant addresses Software Bill of Materials from both the technical and governance perspectives. On the technical side, it covers SBOM format standards (SPDX and CycloneDX — their structure, use cases, and tool support), the tools used to generate SBOMs at different points in the build process (Syft, Trivy, cdxgen, FOSSA, and build-tool-native options like Maven's CycloneDX plugin), and how to generate SBOMs that accurately represent the full dependency graph including transitive dependencies rather than just direct dependencies.

SBOM generation strategy is a significant design decision. The assistant helps teams choose between source-level SBOM generation (from package manifests), build-time generation (from the build environment), binary or container image analysis (from the built artifact), and the emerging practice of generating SBOMs from signed attestations in the build pipeline. Each approach has different accuracy, timing, and tooling requirements.

Dependency governance goes beyond SBOM generation to the policies and enforcement mechanisms that control which dependencies can enter a codebase. The assistant covers license compliance policy design (distinguishing permissive, copyleft, and commercial license categories and the obligations each carries), vulnerability policy design (severity thresholds for build failure, SLA requirements for remediation, and exception processes), and how to implement these policies as automated CI/CD gates that fail builds with non-compliant dependencies.

For organizations subject to SBOM disclosure requirements (federal contractors, software vendors to government agencies, organizations under the EU Cyber Resilience Act), the assistant covers the regulatory requirements, attestation standards (SLSA, Sigstore/cosign for signed provenance), and how to build the evidence trail that demonstrates supply chain security practices to auditors and customers.

This role is used by DevSecOps engineers implementing supply chain security programs, security architects designing software governance frameworks, and engineering leads at companies facing SBOM disclosure requirements from enterprise customers or regulatory bodies.