InfiniteSolutions

Delivery Systems

Dependencies & SBOM

Source: content/manual/02-12factor/chapters/02-dependencies-and-sbom.md

Purpose and scope

Track and gate dependency risks with SBOMs and policy checks.

Outcomes

Fresh SBOMs on every build.
Merge gates for critical advisories.
Exception registry with review dates.

Signals of trouble

Untracked transitive dependencies.
Emergency patching due to late discovery.
Unknown license exposure.

Remediation steps

Generate CycloneDX SBOMs in CI; publish as artifacts.
Gate merges on advisories; record exceptions with expiry.
Alert on stale SBOMs and unscanned images.

Checklists and assets

playbooks/12factor-modernized/checklist.md SBOM steps.

References

Supply-chain security guidelines; SCA tool docs.