SBOM Generator and CVE Matcher
Generates Software Bill of Materials using Syft for container images and matches components against the NVD CVE database via OSV.dev API. Outputs CycloneDX and SPDX formats for supply chain compliance.
Generates Software Bill of Materials using Syft for container images and matches components against the NVD CVE database via OSV.dev API. Outputs CycloneDX and SPDX formats for supply chain compliance.
npx skills add agentskillexchange/skills --skill sbom-generator-cve-matcher
The SBOM Generator and CVE Matcher skill automates software supply chain security by generating comprehensive Software Bill of Materials documents and correlating them against known vulnerability databases. It uses Anchore’s Syft tool to catalog packages, libraries, and dependencies from container images, filesystem directories, and archive files.
Generated SBOMs support both CycloneDX 1.5 and SPDX 2.3 output formats, meeting compliance requirements for executive orders and industry standards like NIST SP 800-218. The skill then queries the OSV.dev API and NVD (National Vulnerability Database) to match each component against known CVEs, providing CVSS scores, EPSS probability scores, and KEV (Known Exploited Vulnerabilities) catalog status.
Features include recursive dependency resolution for npm, pip, Maven, Go modules, and Cargo ecosystems, license identification and compatibility checking, VEX (Vulnerability Exploitability eXchange) document generation for communicating vulnerability applicability, and delta comparison between SBOM versions to track dependency drift across releases. Results integrate with Grype for vulnerability scanning verification.