메뉴
Produce and ingest CycloneDX and SPDX SBOMs and correlate them to vulnerability intelligence.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Extract DPAPI-protected secrets such as credentials and browser data offline and online.
Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.
Test vector stores for embedding inversion, cross-tenant leakage, and poisoning.
Enumerate Entra ID with ROADrecon and acquire and exchange tokens with roadtx.
Run OAuth 2.0 device-code and illicit-consent phishing against Microsoft Entra ID to steal access and refresh tokens, bypass MFA, and pivot across Microsoft 365 services.
Run Microsoft Entra ID tenant reconnaissance, token acquisition and manipulation, and federation backdoor testing with the AADInternals PowerShell toolkit to validate identity-attack resilience.
| name | generating-and-analyzing-sboms |
| description | Produce and ingest CycloneDX and SPDX SBOMs and correlate them to vulnerability intelligence. |
| domain | cybersecurity |
| subdomain | supply-chain-security |
| tags | ["supply-chain-security","sbom","cyclonedx","spdx","syft","grype","vulnerability-management","devsecops"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["ID.AM-08"] |
| mitre_attack | ["T1195.001"] |
Authorized Use Only: Generate and scan SBOMs only for software and images you own or are authorized to assess. Treat SBOMs as sensitive inventory data — they reveal your dependency attack surface.
A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of every component, library, and dependency in a piece of software — the supply-chain equivalent of an ingredients label. SBOMs are central to defending against supply-chain compromise (CISA's SBOM initiative, US Executive Order 14028) because you cannot patch what you cannot see. The two dominant SBOM standards are:
The reference open-source toolchain is from Anchore:
This skill covers producing standards-compliant SBOMs, correlating them with vulnerability intelligence, and embedding the workflow into CI/CD.
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# via Go, or download a release from https://github.com/sigstore/cosign/releases
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
| ID | Official Technique Name | Relevance to this skill |
|---|---|---|
| T1195.001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools | SBOM generation and vulnerability correlation expose compromised or vulnerable dependencies — the attack surface adversaries abuse under this technique. |
This is a defensive supply-chain skill; the mapping reflects the adversary technique it is designed to detect and mitigate.
-o <format> selects output; cyclonedx-json is security-oriented.
syft alpine:latest -o cyclonedx-json=alpine.cdx.json
Use the dir: source to inventory a checked-out repository; spdx-json for the SPDX standard.
syft dir:. -o spdx-json=app.spdx.json
Produce both standards in a single pass for different consumers.
syft myorg/app:1.4.2 \
-o cyclonedx-json=app.cdx.json \
-o spdx-json=app.spdx.json \
-o table
Decoupling generation from scanning lets you re-scan stored SBOMs as new CVEs land — without rebuilding.
# Scan an existing SBOM
grype sbom:app.cdx.json -o table
# JSON report for automation
grype sbom:app.cdx.json -o json > app.vulns.json
You can also scan an image directly (Grype generates the SBOM internally):
grype myorg/app:1.4.2 -o table
--fail-on exits non-zero at or above a severity, failing the pipeline.
grype sbom:app.cdx.json --fail-on high
Filter out unfixable noise with a .grype.yaml policy (only-fixed: true) or --only-fixed:
grype sbom:app.cdx.json --only-fixed --fail-on critical
Cosign records the SBOM as a signed, in-toto attestation alongside the image in the registry.
# Key-based signing
cosign attest --key cosign.key \
--predicate app.spdx.json \
--type spdxjson \
myorg/app:1.4.2
# Keyless (Sigstore OIDC / Fulcio + Rekor)
COSIGN_EXPERIMENTAL=1 cosign attest \
--predicate app.cdx.json \
--type cyclonedx \
myorg/app:1.4.2
Consumers verify provenance before trusting an image.
cosign verify-attestation --key cosign.pub --type spdxjson myorg/app:1.4.2
Pull the attested SBOM from the registry and re-run Grype as part of continuous monitoring.
cosign download attestation myorg/app:1.4.2 \
| jq -r '.payload' | base64 -d | jq '.predicate' > pulled.spdx.json
grype sbom:pulled.spdx.json -o table
Feed Grype JSON into your vulnerability management workflow: deduplicate by CVE, enrich with EPSS/KEV for prioritization, and track remediation SLAs. Re-scan stored SBOMs on each Grype DB update to catch newly disclosed CVEs in unchanged artifacts.
| Tool | Purpose | Link |
|---|---|---|
| Syft | SBOM generation | https://github.com/anchore/syft |
| Grype | Vulnerability scanning of SBOMs/images | https://github.com/anchore/grype |
| Cosign | SBOM signing/attestation | https://github.com/sigstore/cosign |
| CycloneDX | Security-focused SBOM standard | https://cyclonedx.org/ |
| SPDX | ISO SBOM standard | https://spdx.dev/ |
| CISA SBOM | Guidance and minimum elements | https://www.cisa.gov/sbom |
| Aspect | CycloneDX | SPDX |
|---|---|---|
| Steward | OWASP | Linux Foundation / ISO 5962 |
| Strength | Security, VEX, vulnerabilities | Licensing, provenance |
Common syft -o values | cyclonedx-json, cyclonedx-xml | spdx-json, spdx (tag-value) |
--fail-on at an agreed severity