An SBOM is a complete inventory of all software components, libraries and dependencies your product uses. For AI startups, this includes not just your application dependencies but also ML frameworks, model libraries and data pipeline tools. Knowing exactly what is in your software stack is essential for identifying vulnerabilities, managing licence compliance and responding quickly to supply chain incidents.
How to get started:
- Enable Dependabot or Renovate: These tools automatically scan your repositories, flag known vulnerabilities and create pull requests for updates. Start with GitHub Dependabot — it takes minutes to enable.
- Check licence compliance: Pay special attention to copyleft licences (GPL, AGPL) that may require you to open-source your own code. Use a licence scanning tool to flag these automatically.
- Generate a formal SBOM: Use standard formats like SPDX or CycloneDX. Many build tools (npm, pip, Maven) can export dependency lists that can be converted to these formats.
- Monitor continuously: New vulnerabilities are discovered daily. Set up automated alerts so you are notified when a dependency in your stack is affected by a CVE.
- Include AI-specific components: Document which model providers, frameworks (PyTorch, TensorFlow, LangChain) and inference runtimes you use. These have their own vulnerability surfaces.
An SBOM is increasingly expected by enterprise customers and required by regulations like the EU Cyber Resilience Act. Tidal Control helps you maintain your software inventory as part of your asset management and link it to your security controls.