ProofwrightWalkthrough

SBOM generation in CI/CD

Wire CycloneDX generation into the pipeline so every build emits a current SBOM that feeds monitoring.

Wire SBOM generation into the pipeline so every build emits a current CycloneDX inventory that feeds monitoring on its own. Related demos: The CRA incident-reporting clock and A CRA-grade patch process.

1

Generate on every build

A build-stage step produces a CycloneDX SBOM from the actual dependency graph — not a spreadsheet someone updates by hand once a quarter.

2

Attach it to the release

The SBOM is versioned and pinned to the exact artifact it describes, so each release carries the inventory that matches it.

3

Feed monitoring automatically

Each new SBOM registers with OSV monitoring on publish, so a freshly added dependency is watched from the moment it ships.

4

Fail the build on policy

A gate blocks a release that adds a banned licence or a known-critical component — the SBOM becomes a control, not just a document.

this is Proofwright

It's live.

See the real thing at Proofwright.