Synadia Platform

Software Bill of Materials

What is it?

The Software Bill of Materials (SBOM) is an inventory of components used in the building of Control Plane. The SBOM provides transparency into software dependencies, including versions and licensing, and allows for easier compliance and vulnerability identification.


The SBOM for Control Plane is published in the SPDX format.

It is available:

Signed Attestation

The attestation stored alongside our OCI image is signed by a Synadia key to allow for verification of authenticity. This can be validated using Sigstore Cosign.

Signature Verification:

cosign verify-attestation \
    --certificate-identity-regexp '^' \
    --certificate-oidc-issuer \ > /dev/null

In the above command, we redirected STDOUT to /dev/null because it contains the complete SBOM as base64-encoded JSON. We are able to decode this if we want to see the SBOM itself.

cosign verify-attestation \
    --certificate-identity-regexp '^' \
    --certificate-oidc-issuer \ \
    | jq -r '.payload' | base64 -d | jq '.predicate.Data | fromjson'