---
checkId: check.verification.sbom.validation
plugin: stellaops.doctor.verification
severity: fail
tags: [verification, sbom, cyclonedx, spdx]
---
# SBOM Validation

## What It Checks
Requires the verification plugin plus a test artifact. In offline mode it looks for CycloneDX or SPDX JSON inside the bundle. In online mode it checks whether `Scanner:SbomGeneration:Enabled` or `Attestor:SbomAttestation:Enabled` is turned on.

The check warns when SBOM generation and attestation are both disabled, and fails when the offline bundle is missing or contains no recognizable SBOM.

## Why It Matters
SBOMs are the input for downstream vulnerability analysis, policy decisions, and customer evidence exports. If SBOM generation is off, release evidence is incomplete.

## Common Causes
- The build pipeline is not producing SBOMs
- SBOM attestation is disabled even though verification expects it
- Offline bundles were exported without `--include-sbom`

## How to Fix

### Docker Compose
```yaml
services:
  doctor-web:
    environment:
      Scanner__SbomGeneration__Enabled: "true"
      Attestor__SbomAttestation__Enabled: "true"
```

For offline mode:

```bash
stella verification bundle export --include-sbom --output /var/lib/stella/verification/offline-bundle.json
```

### Bare Metal / systemd
Enable SBOM generation in the scanner and keep artifact attachments immutable once published.

### Kubernetes / Helm
Mount the same scanner and attestor config into Doctor that the production verification pipeline uses.

## Verification
```bash
stella doctor --check check.verification.sbom.validation
```

## Related Checks
- `check.verification.artifact.pull` - the artifact must be reachable before attached SBOMs can be validated
- `check.verification.policy.engine` - policy rules commonly consume SBOM-derived vulnerability data