Interview › Security & DevSecOps
What is an SBOM, and how do you generate and use one? [Intermediate]
Answer
An SBOM, or Software Bill of Materials, is an inventory of the components inside software: packages, versions, suppliers, hashes, and relationships. I generate SBOMs during build and use them for vulnerability matching, license review, incident response, and supply-chain evidence.
Technical explanation
SBOMs make it faster to answer whether a product contains a vulnerable component after a new CVE is disclosed.
They should be tied to an immutable artifact digest so the inventory matches the exact build deployed.
SBOMs are most useful when stored, searchable, and linked with vulnerability intelligence and ownership data.
Hands-on example
Hands-on:
syft packages registry.example.com/checkout@sha256:abc -o cyclonedx-json > sbom.json
grype sbom:sbom.json
cosign attest --predicate sbom.json --type cyclonedx registry.example.com/checkout@sha256:abc
Then store the SBOM with the release record.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]