Building Trust in Every Artifact with SBOMs
2025-11-08 , Crystal Dining Room

Software Bill of Materials (SBOMs) are no longer a nice-to-have; they're quickly becoming table stakes for secure software delivery. But generating SBOMs is just the start. How do you manage them at scale across thousands of artifacts, teams, and environments? How do you ensure they’re accurate, tamper-proof, and usable in real-world pipelines?

We will walk users through integrating SBOM generation, storage, and validation into a modern CI/CD workflow using cloud-native tooling.

  • Best practices for generating SBOMs for containers
  • Securely storing and indexing SBOMs alongside your artifacts
  • Validating artifacts against SBOM data before deployment
  • Using SBOMs in incident response, compliance, and auditing

The session will provide attendees a clear roadmap to make SBOMs a first-class citizen in their pipelines and will provide a real-world example of how Cloudsmith integrates CNCF projects like Trivy with OSS projects like CycloneDX, Syft and Grype for automated SBOM generation.


The talk will provide clear, actionable guidance for integrating SBOMs into real-world pipelines using cloud-native tooling, specifically cosign, kyverno, kubewarden.

As the cloud-native ecosystem continues to mature, supply chain security is becoming a critical concern - not just for security teams, but for developers and platform engineers as well.

By sharing practical techniques for generating, storing, and validating SBOMs, we would like to:

  • Help teams improve the security and transparency of their build and release processes
  • Encourage adoption of open standards like SPDX, CycloneDX, and in-toto
  • Stressing why Trivy has become a standard for vulnerability scanning in cloud-native environments.
  • Highlight the value of OCI-native approaches to artifact metadata, promoting registry-driven workflows
  • Build an understanding of how DevOps and DevSecOps teams can respond more quickly and confidently to emerging threats
  • Empower organizations to meet growing compliance demands without slowing down software delivery

SBOMs are a very powerful tool that is emerging but not fully used by development teams. We want to help expand their usage.

Nigel Douglas is the Head of Developer Relations at Cloudsmith. He champions Cloudsmith’s developer ecosystem by creating compelling educational content, engaging with developer communities, and promoting Cloudsmith as the go-to solution for artifact management and supply chain security. Working closely with product, engineering, and marketing teams, Nigel helps build and shape the DevOps community through events, tutorials, and innovative programs.

Before joining Cloudsmith, Nigel held similar roles in cloud-native OSS projects, including the CNCF Graduate Project Falco at Sysdig and Project Calico at Tigera. He earned a Master of Science in Cybersecurity, Privacy, and Trust from South East Technological University in Ireland.