A SaaS platform with multiple microservices needed an automated Software Bill of Materials (SBOM) to answer enterprise customer security questionnaires, track dependencies, and prioritize vulnerability remediation across their stack.
Scope: All production microservices (container images and application dependencies); CI/CD integration for automated SBOM generation; vulnerability correlation (CVE); compliance-oriented reporting. Success criteria: SBOM generated for every build; critical/high CVEs identified and remediated or risk-accepted; template for customer-facing SBOM/compliance responses.
We integrated SBOM tooling (CycloneDX/SPDX) into the build pipeline, mapped dependencies to vulnerability feeds, and produced prioritized remediation lists. Activities included: build-time dependency extraction, container image scanning, CVE matching, prioritization by exploitability and asset criticality, and remediation guidance (upgrade paths, patches).
| Phase | Deliverable |
|---|---|
| Pipeline | SBOM generation in CI; artifact storage and versioning |
| Vulnerability | CVE mapping; severity and exploitability scoring |
| Remediation | Prioritized list; upgrade/patch guidance; retest after fixes |
34 findings (2 critical, 8 high, 16 medium, 8 low) across dependencies. Critical: outdated log4j in a legacy service; high: several node/python packages with known CVEs. We provided upgrade paths and verified fixes; client remediated within 4 weeks with our support.
"We now have a clear software bill of materials and can respond to customer questionnaires in hours."— VP Product, SaaS Platform
Automating SBOM in CI/CD is essential for scale. Prioritizing by business impact (e.g. customer-facing services first) focused remediation. For similar organizations: adopt a standard (CycloneDX/SPDX); integrate early in pipeline; plan for recurring scans and customer-facing deliverables.
Get a free security assessment and see how we can bring your security posture to manageable levels.