Supply chain security - Akira SBOM

Generate locally

./scripts/generate_sbom.sh

Output in .sbom/ (gitignored):

akira_backend.cdx.json
fs_esl_gateway.cdx.json
sipp_orch.cdx.json
akira_db.cdx.json
akira_workers.cdx.json
akira_shared.cdx.json
frontend.cdx.json
akira-aggregate.cdx.json

All files are CycloneDX 1.6 JSON.

CI / CD

GitHub Actions workflow sbom-generate.yml runs on pull requests, manual dispatch, and pushes to master.

The workflow uploads .sbom/ as artifact sbom-akira-${{ github.sha }} with 90 day retention.

CVE scanning (manual)

osv-scanner --sbom .sbom/akira-aggregate.cdx.json

The CI workflow keeps vulnerability scanning advisory-only for now. Do not fail builds on CVE matches until severity thresholds and false-positive handling are defined.

Carrier audit response

When a carrier partner requests an SBOM:

Download the artifact from the latest successful SBOM Generation workflow run on master.
Send akira-aggregate.cdx.json.
State format: CycloneDX 1.6 JSON.

License audit

cyclonedx-cli analyze .sbom/akira-aggregate.cdx.json --report licenses

Check for strong copyleft licenses such as GPL-3.0 and AGPL-3.0 before sharing with commercial partners.

Generate locally​

CI / CD​

CVE scanning (manual)​

Carrier audit response​

License audit​

Generate locally

CI / CD

CVE scanning (manual)

Carrier audit response

License audit