Browse Skills

SBOM Risk Scorer

    CISA CPG SBOM Supply Chain Critical Infrastructure Vulnerability Management
    Get Started with This Skill

    Overview

    CISA CPG 6.1 Supply Chain SBOM Review: analyze CycloneDX or SPDX SBOMs for Vulnerability Debt and gatekeeping evidence. Two extension tools—sbom_vulnerability_debt_summary and critical_component_checker—produce a Vulnerability Debt summary and flag components with End-of-Life (EOL) status or critical CVEs so you can document Accept/Reject criteria and evidence for the gate.

    Example Conversation

    You: We need to document our Accept/Reject gate for new software per CISA CPG 6.1. We have a CycloneDX SBOM in the repo—summarize the vulnerability debt and flag any EOL or critical CVE components.

    Agent: I’ll run sbom_vulnerability_debt_summary on the SBOM to produce the Vulnerability Debt summary, then critical_component_checker to list EOL and critical-CVE components. I’ll use that to draft the Accept/Reject criteria and evidence for your procedure.

    Agent: Summary: [debt summary]. Critical component check: [EOL/critical CVE list]. I’ve added a short procedure section that states: Reject if any component is EOL in a critical path or has an unmitigated critical CVE; Accept only after remediation or documented risk acceptance. Attach these reports as evidence.

    Output Excerpt

    Excerpt from a Vulnerability Debt summary and critical_component_checker report produced by the skill.

    sbom_vulnerability_debt_summary (excerpt):

    === SBOM Vulnerability Debt Summary ===
SBOM: sbom.json (CycloneDX 1.5)
Components: 142
Vulnerabilities (embedded): 8 total — Critical: 1, High: 2, Medium: 3, Low: 2
Narrative: One critical CVE in log4j-core; two high in httpclient and jackson-databind. Recommend remediation or risk acceptance before Accept. EOL status should be checked with critical_component_checker.

    critical_component_checker report (excerpt):

    === Critical Component Check ===
EOL components: lib-openssl-1.1.1 (lifecycle: end-of-life)
Critical CVE components: org.apache.logging.log4j:log4j-core:2.14.1 (CVE-2021-44228)
Action: Reject until remediated or risk-accepted. Document in procedure and attach this report for CPG 6.1 evidence.

    Extension Tools

    • sbom_vulnerability_debt_summary — Reads a CycloneDX or SPDX JSON SBOM and outputs component count plus, when the BOM has embedded vulnerability data (CycloneDX), counts by severity and a short narrative. Use for CPG 6.1 evidence and Accept/Reject criteria.
    • critical_component_checker — Flags components with End-of-Life (EOL) status (from CycloneDX component lifecycle) or critical CVEs (from embedded BOM vulnerabilities). Use to populate the Reject list and to document which components must be remediated or risk-accepted before Accept.

    Getting Started

    Add your SBOM file (CycloneDX or SPDX JSON) to the project workspace and activate the SBOM Risk Scorer skill. Run the two tools on the SBOM, then use the outputs to document your Supply Chain SBOM Review procedure and Accept/Reject criteria for CPG 6.1.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started