How to create an SBOM, step by step

The following steps explain how to build an SBOM. The SBOM template included in this article is a helpful starting point because it demonstrates how SBOMs enumerate the component parts of the software. Here are the steps:

Use this free downloadable
SBOM template to get
help creating an SBOM
for your organization.

1. Select an SBOM tool. Creating an SBOM manually is time-consuming and cumbersome. Many tools are available to help with the task. Therefore, the first step is to choose a tool. Look for one that generates SBOMs both from using software source code and independently. Open sourceSBOM tools include Syft, Fossa, Tern and Retire.js.
2. Select an SBOM format. SBOM formats include CycloneDX, System Package Data Exchange (SPDX) or Software Identification (SWID) tags.
3. Generate the SBOM. Use the tool and selected format to create an SBOM that includes all internally developed components, open source and commercial external software, libraries, frameworks, firmware and other software components in use.
4. Maintain the SBOM. SBOMs are living documents. As such, it is important to update them regularly, for example, when patching or updating software. This keeps the SBOM up to date with its components and known vulnerabilities.

What to include in an SBOM

SBOMs provide an exhaustive breakdown of every software component, listed by name and followed by any subdependencies. This is a hierarchical relationship where the component in question is itself reliant on other software, which also can be reliant on additional software components that should be listed as sub-subdependencies. This can be further deconstructed as needed for organizations, but for the purposes of usability, the SBOM template and example do not list any further layers of dependencies.

The National Telecommunications and Information Administrationlists the following as minimum elements for an SBOM:

• Component name.
• Supplier name.
• Component version.
• Additional unique identifiers, such as licensing information.
• Dependency relationship information.
• Author of the SBOM data.
• Timestamp of when SBOM was created.

Other elements to add to an SBOM include subdependencies, sub-subdependencies, cryptographic hashes of the components and any known vulnerabilities (CVEs).

SBOM best practices

Follow these best practices for creating and maintaining SBOMs:

• Promote open communication between DevOps and security teams.Siloed teams increase the chances of security gaps or discrepancies within SBOMs. Communication is key.
• Work with software vendors to create SBOMs. When adopting new software, ask the vendor for a complete breakdown of all the components used.
• Update SBOMs with every software release. To ensure they remain accurate and ready for review, update SBOMs after every software update.
• Automate SBOM updates. Automate the SBOM process to streamline generation and updates, increase efficiency and mitigate errors.
• Use the same SBOM format. Create all SBOMs using the same format to improve interoperability and make them easy to maintain and update.
• Scale SBOM generation. Ensure that the creation of current and future SBOMs is scalable, especially when it comes to managing version history and changes.

SBOM formats

As mentioned, SBOM formats include CycloneDX, SPDX and SWID tags:

• CycloneDX. This open source standard is supported by the OWASP Foundation and is designed to be a lightweight protocol that accepts multiple formats, such as JSON, XML and more.
• SPDX. Created by the Linux Foundation, this open source standard is useful for providing in-depth details, such as license information, and enables organizations to include code snippets and comments in the SBOM.
• SWID. While not a full-fledged SBOM standard, SWID is backed by NIST and can be used to comply with licensing agreements and to gain transparency into software components.

Learn more about thesethree SBOM formats.

Editor's note:Informa TechTarget editors revised this article in 2025 to improve the reader experience.

Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.