qa-sbom
SBOM generation + container image scanning + vuln prioritization: 7 skills (cyclonedx-format, grype-scanning, sbom-diff, spdx-format, syft-generation, trivy-image, vex-author) and 1 agent (vuln-prioritizer). Required for US EO 14028 + EU CRA + FDA medical-device guidance.
Install this plugin
/plugin install qa-sbom@testland-qaPart of role bundle: qa-role-security
qa-sbom
SBOM (Software Bill of Materials) generation + container image vulnerability scanning + multi-tool prioritization. Three scanner skills (Syft for SBOM gen, Grype for SBOM-aware scan, Trivy for all-in-one container scan) plus two reference skills (CycloneDX + SPDX format specs) plus an adversarial prioritizer agent that combines CVSS + EPSS + CISA KEV + VEX assertions.
Required for US EO 14028 (Federal procurement), EU CRA, FDA medical-device guidance, and most enterprise supply-chain audits.
Components
| Type | Name | Description |
|---|---|---|
| Skill | syft-generation | Anchore Syft SBOM generation; OCI/Docker/Singularity images, dirs, archives; CycloneDX/SPDX/Syft/GitHub-JSON output; cosign attestation |
| Skill | grype-scanning | Anchore Grype vuln scanner; SBOM-aware (grype sbom:./sbom.json); EPSS/KEV/risk-score prioritization built-in; OpenVEX support |
| Skill | cyclonedx-format | CycloneDX v1.6 spec reference: components, dependencies, services, vulnerabilities (VEX-equivalent), formulation, ML BOMs, per-language tooling |
| Skill | spdx-format | SPDX 2.3 + 3.0 spec reference: packages, files, relationships, licenses (canonical license-ID source); preferred by US Federal procurement |
| Skill | trivy-image | Aqua Trivy all-in-one container scanner: vuln + secret + misconfig + license in one pass; --ignore-unfixed actionable filter; .trivyignore + VEX |
| Agent | vuln-prioritizer | Adversarial multi-scanner prioritizer (Grype + Trivy + Snyk + OSV-SBOM); CVSS + EPSS + KEV + VEX-status into Fix-Now/This-Sprint/Backlog/Accept-Risk; refuses to waive CISA KEV CVEs |
| Skill | sbom-diff | Diff two SBOMs to detect net-new / removed / version-changed components between releases. |
| Skill | vex-author | Author and validate OpenVEX documents (not_affected justifications) that vuln-prioritizer consumes. |
Install
/plugin marketplace add testland/qa
/plugin install qa-sbom@testland-qaSkills
cyclonedx-format
Reference for the CycloneDX v1.6 SBOM specification - OWASP-curated, BOM-format-rich format covering software components, services, dependencies, vulnerabilities, formulation, machine learning models, and SaaS BOMs; supports XML / JSON / Protobuf encodings; per-language tooling (cyclonedx-bom-tool family) for npm, pip, Maven, Gradle, Go, etc.; integrates with CI via gen + sign + attest workflow. Use when the team adopts CycloneDX as primary SBOM format (preferred for security-focused use cases vs SPDX's licensing focus).
grype-scanning
Scans for vulnerabilities using Anchore Grype: `grype sbom:./sbom.json` / `grype <image>` / `grype dir:./` across OS-package + language-package ecosystems (Alpine / Debian / Ubuntu / RHEL / Amazon Linux / Ruby / Java / JavaScript / Python / .NET / Go / PHP / Rust). `.grype.yaml` per-CVE and per-package ignore rules with mandatory `expires:` dates and reachability justification (the Grype-native suppression path, distinct from standalone VEX document authoring in vex-author); EPSS + KEV + risk-score prioritization; OpenVEX assertion filtering; `--fail-on high/critical` CI gate. Use when the team wants Grype-native vuln scanning, or pairs with Syft (syft-generation) for an SBOM-driven workflow.
sbom-diff
Compares two CycloneDX or SPDX SBOMs to surface net-new, removed, and version-changed components between image or build versions; uses cyclonedx-cli diff for structured output and syft-based generation for the input SBOMs; gates CI on net-new component introduction; enables supply-chain alerting when unexpected dependencies appear across releases. Use when the team needs to detect dependency drift between container image builds, release candidates, or dependency-update branches.
spdx-format
Reference for the SPDX (Software Package Data Exchange) v2.3 + v3.0 SBOM specification - Linux Foundation-curated, license-focused format covering packages, files, snippets, relationships, license declarations, and (in 3.0) AI / dataset / build / security profiles; supports Tag-Value / JSON / YAML / RDF / Spreadsheet encodings; preferred by US Federal procurement (NIST guidance) and Linux distros. Use when the team's SBOM consumer requires SPDX format (federal procurement, Linux Foundation members, license-compliance focus).
syft-generation
Generates Software Bill of Materials (SBOMs) using Anchore Syft - supports container images / directories / archives across OCI / Docker / Singularity formats; output formats CycloneDX-JSON / SPDX-JSON / Syft-JSON / table / GitHub-JSON; pairs with `grype-scanning` for SBOM-driven vuln scanning. Use when the team needs SBOM artifacts for compliance (US EO 14028, EU CRA, FDA medical-device guidance) or as input to vuln scanners.
trivy-image
Configures and runs Trivy for container image scanning: Aqua Security's all-in-one scanner combining vuln + secret + misconfiguration + license detection in one pass; `trivy image <image>` with --severity HIGH,CRITICAL filter; --format sarif/json (incl. scan-embedded CycloneDX; for standalone SBOM generation see syft-generation + cyclonedx-format); .trivyignore CVE suppression file; --ignore-unfixed for actionable filter; --scanners vuln/misconfig/license/secret toggle. Use when the team wants a single tool covering container image security across multiple dimensions, not for producing a standalone CycloneDX SBOM.
vex-author
Authors and validates OpenVEX documents - produces `not_affected`, `affected`, `fixed`, and `under_investigation` statements with justification codes using `vexctl create`; attaches VEX assertions to container images; outputs `.openvex.json` files consumed by `vuln-prioritizer`'s VEX-filter path. Use when a scanner flags a CVE that analysis confirms is not exploitable in your deployment, and a machine-readable `not_affected` assertion is needed to suppress false positives without discarding the finding from the audit trail.