The SBOM archive contains the SBOM generated for every build. Each SBOM is linked to the specific container image version it describes through cosign attestation, creating a verifiable chain between the deployed artefact and its dependency inventory.
The archive enables retrospective vulnerability analysis: when a new CVE is disclosed, the organisation can search the SBOM archive to determine immediately which deployed versions (current and historical) are affected. This capability is essential for the incident response process and for CRA vulnerability management obligations.
The SBOM archive also supports dependency evolution analysis, showing how the system’s supply chain has changed over time. New dependencies introduced, dependencies removed, and version changes across the system’s lifetime are all visible. The archive is retained for the ten-year period.
Key outputs
- Per-build SBOM archive with cosign attestation linking
- Retrospective vulnerability search capability
- Dependency evolution analysis over the system’s lifetime
- Module 9 AISDP evidence