artifact-sbom-publisher

Produces build artifacts with Software Bill of Materials (SBOM) and supply chain metadata for security and compliance. Use for "artifact publishing", "SBOM generation", "supply chain security", or "build provenance".

16 stars

bydiegosouzapw

View on GitHub Installation ↓

Best use case

artifact-sbom-publisher is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using artifact-sbom-publisher should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/artifact-sbom-publisher/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/testing-security/artifact-sbom-publisher/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/artifact-sbom-publisher/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How artifact-sbom-publisher Compares

Feature / Agent	artifact-sbom-publisher	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Artifact & SBOM Publisher

Generate and publish artifacts with supply chain security metadata.

## Build Artifacts

```yaml
build:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4

    - uses: actions/setup-node@v4
      with:
        node-version: "20"

    - run: npm ci
    - run: npm run build

    - name: Upload artifacts
      uses: actions/upload-artifact@v4
      with:
        name: dist-${{ github.sha }}
        path: |
          dist/
          !dist/**/*.map
        retention-days: 30
        if-no-files-found: error
```

## SBOM Generation (CycloneDX)

```yaml
sbom:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4

    - name: Generate SBOM
      uses: CycloneDX/gh-node-module-generatebom@master
      with:
        path: ./
        output: ./sbom.json

    - name: Upload SBOM
      uses: actions/upload-artifact@v4
      with:
        name: sbom-${{ github.sha }}
        path: sbom.json
```

## SBOM with Syft

```yaml
- name: Generate SBOM with Syft
  run: |
    curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
    syft . -o spdx-json > sbom-spdx.json
    syft . -o cyclonedx-json > sbom-cyclonedx.json

- name: Upload SBOMs
  uses: actions/upload-artifact@v4
  with:
    name: sboms
    path: |
      sbom-spdx.json
      sbom-cyclonedx.json
```

## Docker Image SBOM

```yaml
- name: Build image
  uses: docker/build-push-action@v5
  with:
    context: .
    push: true
    tags: myapp:${{ github.sha }}
    sbom: true
    provenance: true

- name: Generate SBOM for image
  run: |
    syft myapp:${{ github.sha }} -o spdx-json > image-sbom.json

- name: Scan SBOM for vulnerabilities
  uses: anchore/scan-action@v3
  with:
    sbom: image-sbom.json
    fail-build: true
    severity-cutoff: high
```

## Build Provenance (SLSA)

```yaml
provenance:
  runs-on: ubuntu-latest
  permissions:
    actions: read
    id-token: write
    contents: write
  steps:
    - uses: actions/checkout@v4

    - name: Build
      run: npm run build

    - name: Generate provenance
      uses: actions/attest-build-provenance@v1
      with:
        subject-path: "dist/**"
```

## Artifact Metadata

```yaml
- name: Create artifact metadata
  run: |
    cat > artifact-metadata.json << EOF
    {
      "version": "${{ github.ref_name }}",
      "commit": "${{ github.sha }}",
      "branch": "${{ github.ref }}",
      "build_time": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
      "builder": "GitHub Actions",
      "workflow": "${{ github.workflow }}",
      "run_id": "${{ github.run_id }}",
      "actor": "${{ github.actor }}"
    }
    EOF

- name: Upload metadata
  uses: actions/upload-artifact@v4
  with:
    name: metadata
    path: artifact-metadata.json
```

## Package & Release

```yaml
release:
  runs-on: ubuntu-latest
  needs: [build, sbom]
  if: github.event_name == 'release'
  steps:
    - name: Download artifacts
      uses: actions/download-artifact@v4
      with:
        path: artifacts/

    - name: Create release package
      run: |
        cd artifacts
        tar -czf ../release.tar.gz dist-* sbom-* metadata/

    - name: Upload to release
      uses: actions/upload-release-asset@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        upload_url: ${{ github.event.release.upload_url }}
        asset_path: ./release.tar.gz
        asset_name: release-${{ github.ref_name }}.tar.gz
        asset_content_type: application/gzip
```

## Vulnerability Scanning

```yaml
- name: Scan SBOM for vulnerabilities
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: "sbom"
    format: "sarif"
    output: "trivy-results.sarif"
    sbom-sources: "sbom.json"

- name: Upload scan results
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: "trivy-results.sarif"
```

## Artifact Attestation

```yaml
- name: Attest artifact
  uses: actions/attest@v1
  with:
    subject-path: "dist/myapp.tar.gz"
    predicate-type: "https://slsa.dev/provenance/v1"
    predicate: |
      {
        "buildType": "https://github.com/actions/workflow",
        "builder": {
          "id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
        },
        "metadata": {
          "buildInvocationId": "${{ github.run_id }}",
          "completeness": {
            "parameters": true,
            "environment": false,
            "materials": true
          }
        }
      }
```

## Best Practices

1. **Generate SBOMs**: For all releases
2. **Multiple formats**: SPDX and CycloneDX
3. **Scan vulnerabilities**: Before release
4. **Sign artifacts**: For verification
5. **Include provenance**: SLSA attestation
6. **Retention policy**: Keep artifacts 30 days
7. **Metadata**: Version, commit, timestamp
8. **Automate**: Part of every build

## Output Checklist

- [ ] Build artifacts uploaded
- [ ] SBOM generated (SPDX or CycloneDX)
- [ ] Vulnerability scanning configured
- [ ] Build provenance generated
- [ ] Artifact metadata included
- [ ] Release packaging automated
- [ ] Attestation/signing (optional)
- [ ] Retention policy set

Related Skills

artifact-orchestration

from diegosouzapw/awesome-omni-skill

Orchestrate multi-agent artifact generation with the Primary Author → Parallel Reviewers → Synthesizer → Archive pattern. Use when relevant to the task.

anthropic-web-artifacts-builder

from diegosouzapw/awesome-omni-skill

Suite of tools for creating elaborate, multi-component claude.ai HTML artifacts using modern frontend web technologies (React, Tailwind CSS, shadcn/ui). Use for complex artifacts requiring state management, routing, or shadcn/ui components - not for simple single-file HTML/JSX artifacts.

artifact-guidelines

from diegosouzapw/awesome-omni-skill

Guidelines for writing reports, organizing files, and generating code artifacts

artifact-creation

from diegosouzapw/awesome-omni-skill

Guide the creation of artifacts (rules, skills, commands, subagents) from patterns. Use templates appropriately, ensure proper structure, add cross-references, and update documentation. Use when creating new artifacts from extracted patterns.

artifact-management

from diegosouzapw/awesome-omni-skill

Manage build artifacts, Docker images, and package registries. Configure artifact repositories, versioning, and distribution strategies.

artifact-lifecycle

from diegosouzapw/awesome-omni-skill

Unified lifecycle management for all framework artifacts (skills, agents, hooks, workflows, templates, schemas)

Validate and grade Claude Code Skills, Commands, Subagents, and Hooks for quality and correctness. Check YAML syntax, verify naming conventions, validate required fields, test activation patterns, assess description quality. Generate quality scores using Q = 0.40R + 0.30C + 0.20S + 0.10E framework with specific improvement recommendations. Use when validating artifacts, checking quality, troubleshooting activation issues, or ensuring artifact correctness before deployment.

artifact-migrator

from diegosouzapw/awesome-omni-skill

Help migrate and update existing Claude Code artifacts (Skills, Commands, Subagents, Hooks) when specifications change or best practices evolve. Detect outdated patterns, suggest improvements, and guide migration process. Use when artifacts stop working, need updates, or when Claude Code specifications change.

api-artifacts

from diegosouzapw/awesome-omni-skill

Templates and rules for generating OpenAPI specs, Postman collections, AsyncAPI specs, and GraphQL schemas from architecture manifests

artifact-sbom-publisher

Best use case

When to use this skill

When not to use this skill

Installation

How artifact-sbom-publisher Compares

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

SKILL.md Source

Related Skills

artifact-orchestration

anthropic-web-artifacts-builder

artifact-guidelines

artifact-creation

artifact-management

artifact-lifecycle

web-artifacts-builder

awesome:web-artifacts-builder

artifacts-builder

artifact-validator

artifact-migrator

api-artifacts