From 1edfca92012aef80ab6547b430ec3fa358b1b6a6 Mon Sep 17 00:00:00 2001
From: Viktor Petersson <self@vpetersson.com>
Date: Wed, 7 Jan 2026 10:58:01 +0000
Subject: [PATCH 1/2] Add Syft and Trivy SBOM configurations

- Add Syft v1.39.0 (GitHub Release, linux_amd64)
- Add Trivy v0.68.2 (GitHub Release, bom.json)
- Add corresponding workflow files
- Update README with new project entries
---
 .github/workflows/sbom-syft.yml  | 37 ++++++++++++++++++++++++++++++++
 .github/workflows/sbom-trivy.yml | 37 ++++++++++++++++++++++++++++++++
 README.md                        |  2 ++
 apps/syft/config.yaml            | 24 +++++++++++++++++++++
 apps/trivy/config.yaml           | 24 +++++++++++++++++++++
 5 files changed, 124 insertions(+)
 create mode 100644 .github/workflows/sbom-syft.yml
 create mode 100644 .github/workflows/sbom-trivy.yml
 create mode 100644 apps/syft/config.yaml
 create mode 100644 apps/trivy/config.yaml

diff --git a/.github/workflows/sbom-syft.yml b/.github/workflows/sbom-syft.yml
new file mode 100644
index 0000000..33f9284
--- /dev/null
+++ b/.github/workflows/sbom-syft.yml
@@ -0,0 +1,37 @@
+# SBOM workflow for Syft
+#
+# Triggers when syft version or config is updated.
+# Downloads SBOM from GitHub releases (per-architecture).
+#
+# https://github.com/anchore/syft
+
+name: "SBOM: syft"
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'apps/syft/config.yaml'
+      - '.github/workflows/sbom-syft.yml'
+
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Run in dry-run mode (no upload)'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  build:
+    uses: ./.github/workflows/sbom-builder.yml
+    with:
+      app: syft
+      dry_run: ${{ github.event.inputs.dry_run == 'true' }}
+    secrets: inherit
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+
diff --git a/.github/workflows/sbom-trivy.yml b/.github/workflows/sbom-trivy.yml
new file mode 100644
index 0000000..f746946
--- /dev/null
+++ b/.github/workflows/sbom-trivy.yml
@@ -0,0 +1,37 @@
+# SBOM workflow for Trivy
+#
+# Triggers when trivy version or config is updated.
+# Downloads SBOM from GitHub releases.
+#
+# https://github.com/aquasecurity/trivy
+
+name: "SBOM: trivy"
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'apps/trivy/config.yaml'
+      - '.github/workflows/sbom-trivy.yml'
+
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Run in dry-run mode (no upload)'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  build:
+    uses: ./.github/workflows/sbom-builder.yml
+    with:
+      app: trivy
+      dry_run: ${{ github.event.inputs.dry_run == 'true' }}
+    secrets: inherit
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+
diff --git a/README.md b/README.md
index e218352..da506cc 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,8 @@ Each app has its own folder with version tracking. When you bump the `version` i
 | [Keycloak](https://github.com/keycloak/keycloak) | Backend | Lockfile (pom.xml) | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-keycloak.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-keycloak.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/keycloak/) |
 | [Keycloak](https://github.com/keycloak/keycloak) | JS | Lockfile (pnpm) | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-keycloak-js.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-keycloak-js.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/keycloak/) |
 | [OSV Scanner](https://github.com/google/osv-scanner) | OSV Scanner | Lockfile | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-osv-scanner.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-osv-scanner.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/osv-scanner/) |
+| [Syft](https://github.com/anchore/syft) | Syft | GitHub Release | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-syft.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-syft.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/syft/) |
+| [Trivy](https://github.com/aquasecurity/trivy) | Trivy | GitHub Release | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-trivy.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-trivy.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/trivy/) |
 
 ## Directory Structure
 
diff --git a/apps/syft/config.yaml b/apps/syft/config.yaml
new file mode 100644
index 0000000..ada0004
--- /dev/null
+++ b/apps/syft/config.yaml
@@ -0,0 +1,24 @@
+# Syft SBOM Configuration
+#
+# Syft is a CLI tool and library for generating a Software Bill of Materials
+# from container images and filesystems.
+#
+# SBOM source: GitHub releases (per-architecture SBOM)
+# https://github.com/anchore/syft
+
+name: syft
+version: "1.39.0"
+
+format: syft-json
+
+source:
+  type: github_release
+  repo: "anchore/syft"
+  asset: "syft_${version}_linux_amd64.sbom"
+  tag_prefix: "v"
+
+sbomify:
+  component_id: "AGWWwQ5T2dP1"
+  component_name: "Syft"
+  product_id: "JaBHDMM1gmuZ"
+
diff --git a/apps/trivy/config.yaml b/apps/trivy/config.yaml
new file mode 100644
index 0000000..691af27
--- /dev/null
+++ b/apps/trivy/config.yaml
@@ -0,0 +1,24 @@
+# Trivy SBOM Configuration
+#
+# Trivy is a comprehensive security scanner that finds vulnerabilities,
+# misconfigurations, secrets, and SBOMs.
+#
+# SBOM source: GitHub releases
+# https://github.com/aquasecurity/trivy
+
+name: trivy
+version: "0.68.2"
+
+format: cyclonedx
+
+source:
+  type: github_release
+  repo: "aquasecurity/trivy"
+  asset: "bom.json"
+  tag_prefix: "v"
+
+sbomify:
+  component_id: "D1h5y3TC4GqX"
+  component_name: "Trivy"
+  product_id: "X7qe2Jyf9r29"
+

From 7390bdd314439199ee6eddfc6bdcfc60d8948048 Mon Sep 17 00:00:00 2001
From: Viktor Petersson <self@vpetersson.com>
Date: Wed, 7 Jan 2026 11:09:12 +0000
Subject: [PATCH 2/2] Use lockfile for Syft

---
 README.md             | 2 +-
 apps/syft/config.yaml | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index da506cc..d254530 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ Each app has its own folder with version tracking. When you bump the `version` i
 | [Keycloak](https://github.com/keycloak/keycloak) | Backend | Lockfile (pom.xml) | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-keycloak.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-keycloak.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/keycloak/) |
 | [Keycloak](https://github.com/keycloak/keycloak) | JS | Lockfile (pnpm) | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-keycloak-js.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-keycloak-js.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/keycloak/) |
 | [OSV Scanner](https://github.com/google/osv-scanner) | OSV Scanner | Lockfile | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-osv-scanner.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-osv-scanner.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/osv-scanner/) |
-| [Syft](https://github.com/anchore/syft) | Syft | GitHub Release | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-syft.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-syft.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/syft/) |
+| [Syft](https://github.com/anchore/syft) | Syft | Lockfile | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-syft.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-syft.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/syft/) |
 | [Trivy](https://github.com/aquasecurity/trivy) | Trivy | GitHub Release | [![SBOM](https://github.com/sbomify/library/actions/workflows/sbom-trivy.yml/badge.svg)](https://github.com/sbomify/library/actions/workflows/sbom-trivy.yml) | [![sbomify](https://sbomify.com/assets/images/logo/badge.svg)](https://library.sbomify.com/product/trivy/) |
 
 ## Directory Structure
diff --git a/apps/syft/config.yaml b/apps/syft/config.yaml
index ada0004..21acea4 100644
--- a/apps/syft/config.yaml
+++ b/apps/syft/config.yaml
@@ -3,18 +3,19 @@
 # Syft is a CLI tool and library for generating a Software Bill of Materials
 # from container images and filesystems.
 #
-# SBOM source: GitHub releases (per-architecture SBOM)
+# SBOM source: Lockfile (go.mod from GitHub release)
 # https://github.com/anchore/syft
 
 name: syft
 version: "1.39.0"
 
-format: syft-json
+# cdxgen generates CycloneDX SBOMs from the Go lockfile
+format: cyclonedx
 
 source:
-  type: github_release
+  type: lockfile
   repo: "anchore/syft"
-  asset: "syft_${version}_linux_amd64.sbom"
+  lockfile: "go.mod"
   tag_prefix: "v"
 
 sbomify: