Software Bill of Materials
A Software Bill of Materials (SBOM) is a machine-readable inventory of the third-party components that ship inside SentriKat. We publish one for every release so customers and regulators can verify what is running in their environment.
Last updated: 2026-04-16
What we publish
- Formats: CycloneDX 1.5 (JSON) and SPDX 2.3 (JSON). STIX 2.1 is available on request for customers who export SBOMs downstream.
- Scope: the backend API (FastAPI + Python), the portal and landing (Astro + Node), the documentation site (MkDocs), and the Docker base images used in production.
- Generation: produced with
syftas part of the release pipeline. Hashes are stored next to the SBOM file so downloads can be verified. - Retention: we keep the last five releases publicly downloadable. Older versions are available on request under a signed DPA.
Downloads
SBOMs are attached to each release. The public index will be wired to the changelog once the release pipeline finishes wiring up signed uploads (target: Q3 2026).
In the meantime, customers and prospects can request the current SBOM by emailing [email protected]. Expect a response within two business days.
Why SBOMs matter
Regulations such as the EU Cyber Resilience Act (mandatory from 11 September 2026), US Executive Order 14028, and customer procurement checklists require vendors to publish an SBOM. A clean SBOM lets your security team:
- Trace every new CVE to the exact SentriKat version that contains the affected component
- Feed the SBOM into your own SCA pipeline or SIEM
- Satisfy NIS2 Annex I, DORA ICT third-party requirements, and ISO/IEC 27001:2022 Annex A 8.28 (secure coding) audits
Verification
Each SBOM archive ships with a detached signature and a SHA-256 hash. Verification instructions are published alongside the download link. If a file you received does not match the published hash, do not install it — report it to [email protected].