A per-tenant customer portal for SBOM access. Signed CycloneDX and SPDX exports, VEX overlays for known-not-affected findings, expiring share links for ad-hoc requests, and a regulator-grade share workflow when the request comes from a state authority.
Every customer enterprise contract now requires an SBOM on request. Most teams treat that requirement as an email attachment problem — until the ten-thousandth attachment has been emailed and nobody can answer "which build was that SBOM from".
A customer-facing SBOM portal that issues signed exports, ties each download to a release tag, layers VEX statements for the known-not-affected cases, and expires share links is the only sane shape of the workflow at scale.
Add the regulator branch — a state authority demanding the SBOM under a notice — and the workflow must produce evidence that the served file matches the artefact in production, signed and timestamped.
Sending SBOMs as one-off attachments accumulates a sprawl of stale documents that no one can authoritatively reconcile to a release.
A raw SBOM line of vulnerable-library-X means nothing without "and we have reachability VEX-marked it as not-affected because the code path is unreachable".
Long-lived URLs to SBOMs leak. The acceptable lifetime is hours or days, not forever — but operational workflows often default to forever.
When a CERT or sector regulator requests an SBOM, the response must include a signature chain that ties the file to the running artefact.
Each customer relationship gets a scoped portal listing only the SBOMs they are entitled to. Authentication via SSO; permission scoping per release tag.
Every SBOM exports in both formats, signed with sigstore and pinned to the artefact digest. Verification script ships with every download.
Findings marked known-not-affected by reachability analysis ship as an inline VEX statement so customers don't chase paper criticals.
Ad-hoc share links default to a tenant-set TTL (24h–30d). Regulator requests follow a separate workflow with signature-of-record evidence.
Customer relationships configured with SSO scope and per-release entitlement; tenant-set TTL defaults applied to share links.
Every release in SBOM Studio emits CycloneDX + SPDX exports plus the signed attestation bundle from the build-provenance pass.
Reachability findings from the SCA engine are converted to VEX statements; known-not-affected entries layered on the SBOM at export.
Authorised customers log in via SSO and download the latest entitled SBOM; every download is logged with cryptographic provenance.
For ad-hoc requests (sales, security review), a one-click expiring link is issued; default TTL is enforced at the tenant level.
On authority request, the platform packages SBOM + signature chain + provenance attestation as a single bundle with a counter-signed cover note.
Pair with SBOM Studio for the artefact, build-provenance for signing, and supply-chain-compliance for regulator framing.
Connect one release pipeline and we'll stand up a per-customer portal with signed SBOM access in under a day.