1.8 KiB
checkId, plugin, severity, tags
| checkId | plugin | severity | tags | ||||
|---|---|---|---|---|---|---|---|
| check.verification.sbom.validation | stellaops.doctor.verification | fail |
|
SBOM Validation
What It Checks
Requires the verification plugin plus a test artifact. In offline mode it looks for CycloneDX or SPDX JSON inside the bundle. In online mode it checks whether Scanner:SbomGeneration:Enabled or Attestor:SbomAttestation:Enabled is turned on.
The check warns when SBOM generation and attestation are both disabled, and fails when the offline bundle is missing or contains no recognizable SBOM.
Why It Matters
SBOMs are the input for downstream vulnerability analysis, policy decisions, and customer evidence exports. If SBOM generation is off, release evidence is incomplete.
Common Causes
- The build pipeline is not producing SBOMs
- SBOM attestation is disabled even though verification expects it
- Offline bundles were exported without
--include-sbom
How to Fix
Docker Compose
services:
doctor-web:
environment:
Scanner__SbomGeneration__Enabled: "true"
Attestor__SbomAttestation__Enabled: "true"
For offline mode:
stella verification bundle export --include-sbom --output /var/lib/stella/verification/offline-bundle.json
Bare Metal / systemd
Enable SBOM generation in the scanner and keep artifact attachments immutable once published.
Kubernetes / Helm
Mount the same scanner and attestor config into Doctor that the production verification pipeline uses.
Verification
stella doctor --check check.verification.sbom.validation
Related Checks
check.verification.artifact.pull- the artifact must be reachable before attached SBOMs can be validatedcheck.verification.policy.engine- policy rules commonly consume SBOM-derived vulnerability data