Modern software relies heavily on open-source libraries and third-party components, which can introduce hidden security vulnerabilities. This project focuses on improving visibility and vulnerability management by implementing a Software Bill of Materials (SBOM)–based security pipeline.

The system automatically generates SBOMs, scans dependencies for known vulnerabilities, and alerts developers to critical security risks through an integrated CI/CD workflow.

Many organizations lack clear visibility into the software components used in their applications. This makes it difficult to identify vulnerable dependencies and respond quickly to security threats.

The issue was highlighted during the Log4Shell vulnerability, where organizations struggled to determine whether their systems were affected due to the absence of a comprehensive inventory of software components.

This project implements an automated SBOM-based vulnerability management pipeline that integrates with CI/CD workflows.

The system:

• Generates SBOMs for open-source repositories
• Scans dependencies against multiple vulnerability databases
• Continuously monitors vulnerabilities
• Automatically creates issue tickets for high-risk findings

This approach enables earlier detection of vulnerabilities and improves collaboration between development and security teams.