Automated SBOM Generation and Security Scanning with Amazon Inspector in AWS CI/CD Pipeline

Created on 2025-03-26 13:05

Published on 2025-03-26 15:45

Hello everyone,

I hope you all are doing well. In this week's blog, we will understand how to generate SBOM and perfom security scanning with Amazon Inspector in AWS CI/CD Pipeline.

Let's get started.

What is an SBOM?

Software Bill of Materials (SBOM) is a inventory of software components, libraries, and dependencies that we use use in our application. It helps track open-source and third-party components, ensuring compliance.

Why Use Amazon Inspector?

Automated SBOM Generation – Inspector scans container images and generates an SBOM in CycloneDX or SPDX format.
Vulnerability Assessment – Continuously scans for CVE vulnerabilities in dependencies.

Let's start with the hands-on step by step for the AWS Console -

Let's first enable the Inspector Scanning for ECR Repositories.

Let's create a vulnerable python sample application and create a Dockerfile for this blog and push it to a Github Repo.

Creating a vulnerable python app

requirements.txt file

Dockerfile

Let's create a ECR repository for the app.

Now, we will create a S3 bucket where will store are scan report and SBOM Report.

Create a buildspec.yml file for your codebuild project in your github repo.

First we specifiy the version. Then we define your environment variables - AWS Region, ECR Repo Name and S3 Bucket Name, and KMS Key ARN(Ideally this can also be generate and used).

Define the phases - first is install, where we are updating all installed packages to the latest version. Also, installing jq. After that we are exporting some variables for further use.

: Shortened commit hash of the current Git revision.
: Timestamp in format for versioning.
: Semantic versioning using Git tags
: Combines versioning information to tag the Docker image.
: Fetches the AWS account ID using .
: Creates the URI for the ECR repository.
: Defines a unique S3 path using the timestamp and commit hash.

After that we will login into our ECR Repo using aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/python-app

Next step is to build the docker image and push it to ECR repo. Continuous security scan occurs. Also, we generate SBOM scan report and push it to S3 bucket. If we find any critical or high severity vulnerability we will fail the build process.

Push the buildspec.yml file to root of your GitHub Repositiory.

Below is the buildspec.yml file that I created -

Let's create a AWS Codebuild project now.

Creating a build project in Codebuild

Creating a connection with GitHub

Define the source

webhook

Define the environment for build.

Select option for buildspec.yml file.

We have successfully created a build project.

Provide appropriate permissions to the service role. I have provide full access to a some service for a demo purpose. But if you are enviroment is a prod, follow principle of least privilege.

Let's now create a AWS Codepipeline.

We will choose a creation option

Choose the source ie. we will choose github, repository name and branch

Configure S3 bucket where we will store our artifacts

Review the pipeline configuration

Successfully created the pipeline.

Let's push a change to our GitHub repo, it will automatically trigger this pipeline.

Let's wait for the pipeline to execute.

We can see the build has failed.

We can see the build has failed. This is because it should have found the high and critical vulnerabilities. This is what we configured in the buildspec.yml file. Let's check.

Due to the high number of lines of logs, the codebuild webpage is not responding, not sure, why this is happening.

Let's see the logs in cloudwatch -

We can see that Codebuild is running On-demand

updates the packages to latest versions and installs jq

Exports the variable and does docker login for ECR

Docker Image creation in progress

Pushing to ECR Repo

Generating SBOM Report and then checking for high and critical vulnerabiltiies in security vulnerabilities.

SBOM report pushed to s3 bucket in CYCLONEDX Format as we mentioned.

Generated report - a finding whoe CVSS Score is 8.8

Generated report - a finding whoe CVSS Score is 7.5

Similarly there are many other critical and high severity findings.

Some of the findings

Hence, we explored how we can seamlessly integrate Amazon Inspector into your AWS CI/CD pipeline to generate Software Bill of Materials (SBOM) and perform comprehensive security scans.

Key takeaways include:

Efficiently building and pushing Docker images to Amazon ECR.
Using Amazon Inspector to generate SBOM reports in CycloneDX format.
Implementing a check ie security gate to block deployments if critical or high-severity vulnerabilities are identified.
Storing findings securely in Amazon S3 with KMS encryption for compliance and audit purposes.