Regenerating SBOMs

People often treat a software bill of materials (SBOM) like a compliance checkbox: generate it once, attach it to a release, and forget about it. That misses the real point. An SBOM is only truly valuable if you can reliably regenerate it from the same build process that produced the software. If you can’t do that, it’s hard to verify, hard to trust, and easy for it to drift away from reality. An SBOM claims to describe what’s inside your software. That leads to some important questions:

• Can you produce the same SBOM again from the same source and build inputs?
• Does it cover both build-time and runtime dependencies?
• Is it tied to the actual artifact users get?
• Can you explain changes in the dependency graph from version control?
• Can someone else independently reconstruct it?

If the answer is no, your SBOM is just a snapshot with questionable origins. A hand-crafted or one-off SBOM doesn’t age well. Dependencies change. Build systems change. Packaging logic changes. Transitive inputs change. Release processes drift. Soon, the SBOM might still exist, but your confidence in it fades. The file remains, but its value as assurance disappears. This is what happens when SBOMs are treated as paperwork instead of outputs from a controlled process.

A good SBOM process lets you say:

Given this source revision, this packaging logic, and these declared inputs, we can reproduce both the artifact and the bill of materials that describes it.

That’s not perfect, but it’s a huge step up in trust. It means the SBOM isn’t just claimed—it’s derived. This is where Nix shines. Because Nix derivations model dependencies and build steps explicitly, they give you a structured way to walk the dependency graph and collect metadata. That makes it easier to automate SBOM generation and keep it tied to the actual package being built. Nix doesn’t magically make SBOMs perfect. But it does shrink the gap between:

• what was declared
• what was built
• what can be inspected
• what can be emitted as metadata

That’s a big improvement over ad hoc build systems where reconstructing dependency history is guesswork. If an SBOM is questioned during an audit or security review, and the answer is:

We generated that document during release, but we can’t reproduce it now

then confidence should drop fast. A security artifact you can’t reconstruct from controlled inputs is weak evidence. It might help, but it’s not strong assurance. The goal isn’t just to have an SBOM file. The goal is to have a process that can produce a trustworthy SBOM on demand, tied to the exact artifact in question.

See also:

• Binary Caches & Trust
• Bill Me Up