Audit Automation refers to the systematic use of tools, pipelines, and standards to continuously generate, validate, and act upon audit evidence — covering software composition, vulnerability disclosure, license compliance, and regulatory adherence. This repository provides a structured approach to mastering audit automation practices, with a focus on CycloneDX, SBOM-driven workflows, and DevSecOps integration.
This learning repository covers the end-to-end landscape of audit automation: from generating Software Bills of Materials (SBOMs) using CycloneDX, to integrating vulnerability scanning and VEX/VDR workflows into CI/CD pipelines, to achieving compliance with frameworks such as the EU Cyber Resilience Act (CRA), NIS2, DORA, and SSDF. It provides practical examples for cloud-native and Kubernetes environments, relevant to platform engineering and Internal Developer Platform (IDP) contexts.
- 100 - Introduction to Audit Automation
- 200 - Software Bill of Materials (SBOM) Fundamentals
- 300 - CycloneDX Standard
- 400 - SBOM Generation Tooling
- 500 - Vulnerability Management Integration
- 600 - License Compliance Automation
- 700 - CI/CD Pipeline Integration
- 800 - Compliance Frameworks
- 900 - Cloud-Native and Kubernetes Audit Automation
- 1000 - SBOM Storage and Management Platforms
- 1100 - Advanced Topics
- 1200 - Hands-On Labs and Exercises
- 1900 - Reference
learning-audit-automation/
├── README.md
│
├── 100/
│ ├── README.md
│ ├── 100-what-is-audit-automation.md
│ ├── 200-why-audit-automation-matters.md
│ ├── 300-audit-automation-landscape.md
│ └── 400-key-concepts-and-terminology.md
│
├── 200/
│ ├── README.md
│ ├── 100-what-is-an-sbom.md
│ ├── 200-sbom-use-cases.md
│ ├── 300-sbom-formats-spdx-vs-cyclonedx.md
│ ├── 400-sbom-minimum-elements.md
│ └── 500-sbom-lifecycle.md
│
├── 300/
│ ├── README.md
│ ├── 100-cyclonedx-overview.md
│ ├── 200-cyclonedx-bom-types.md
│ ├── 300-cyclonedx-schema-xml-json-protobuf.md
│ ├── 400-cyclonedx-vex.md
│ ├── 500-cyclonedx-vdr.md
│ ├── 600-cyclonedx-attestations.md
│ ├── 700-cyclonedx-tool-center.md
│ └── 800-cyclonedx-ecma-424-standard.md
│
├── 400/
│ ├── README.md
│ ├── 100-cyclonedx-cli.md
│ ├── 200-cdxgen.md
│ ├── 300-syft.md
│ ├── 400-trivy-sbom.md
│ ├── 500-language-specific-plugins.md
│ └── 600-container-image-sbom.md
│
├── 500/
│ ├── README.md
│ ├── 100-dependency-track.md
│ ├── 200-grype-vulnerability-scanning.md
│ ├── 300-snyk-integration.md
│ ├── 400-vex-workflows.md
│ └── 500-cvss-and-epss-scoring.md
│
├── 600/
│ ├── README.md
│ ├── 100-spdx-license-identifiers.md
│ ├── 200-license-policy-definition.md
│ ├── 300-automated-license-checks.md
│ └── 400-sbom-utility-license-reports.md
│
├── 700/
│ ├── README.md
│ ├── 100-github-actions-integration.md
│ ├── 200-gitlab-ci-integration.md
│ ├── 300-azure-devops-integration.md
│ ├── 400-flux-gitops-integration.md
│ └── 500-sbom-signing-and-attestation.md
│
├── 800/
│ ├── README.md
│ ├── 100-eu-cyber-resilience-act.md
│ ├── 200-nis2-directive.md
│ ├── 300-dora-compliance.md
│ ├── 400-ssdf-nist-800-218.md
│ ├── 500-us-executive-order-14028.md
│ └── 600-iso-iec-5962-spdx-standard.md
│
├── 900/
│ ├── README.md
│ ├── 100-kubernetes-sbom-scanning.md
│ ├── 200-crossplane-audit-automation.md
│ ├── 300-azure-policy-and-defender.md
│ ├── 400-oci-artifact-sbom-storage.md
│ └── 500-gitops-audit-trail.md
│
├── 1000/
│ ├── README.md
│ ├── 100-dependency-track-platform.md
│ ├── 200-sonatype-sbom-manager.md
│ ├── 300-anchore-enterprise.md
│ └── 400-oci-registry-sbom-attachments.md
│
├── 1100/
│ ├── README.md
│ ├── 100-ai-bom-mlbom.md
│ ├── 200-cryptography-bom-cbom.md
│ ├── 300-hardware-bom-hbom.md
│ ├── 400-saas-bom-saasbom.md
│ └── 500-sbom-as-code-patterns.md
│
├── 1200/
│ ├── README.md
│ ├── lab-01-generate-cyclonedx-sbom.md
│ ├── lab-02-scan-sbom-with-grype.md
│ ├── lab-03-dependency-track-setup.md
│ ├── lab-04-vex-workflow.md
│ ├── lab-05-github-actions-sbom-pipeline.md
│ └── lab-06-kubernetes-image-sbom.md
│
└── 1900/
├── README.md
├── glossary.md
├── tools-reference.md
├── frameworks-reference.md
└── further-reading.md
- Basic understanding of software development and CI/CD pipelines
- Familiarity with containers and Kubernetes (helpful, not required)
- Command-line proficiency
- Basic understanding of security and compliance concepts
- Start sequentially — Begin with the 100 series for foundational concepts, then progress through the numbered modules
- Focus on CycloneDX early — The 300 series covers CycloneDX in depth; it is the cornerstone of modern audit automation
- Apply to your context — The 900 series specifically covers cloud-native (Azure, Kubernetes, Crossplane) scenarios
- Run the labs — The 1200 series provides practical, hands-on exercises to cement understanding
- Use the Reference — The 1900 series serves as a quick-lookup companion
| Technology | Purpose | Section |
|---|---|---|
| CycloneDX | BOM standard and tooling ecosystem | 300, 400 |
| OWASP Dependency-Track | SBOM management platform | 500, 1000 |
| cdxgen / cyclonedx-cli | SBOM generation | 400 |
| Syft / Grype | SBOM generation and scanning | 400, 500 |
| Trivy | Container/IaC vulnerability scanning | 400 |
| GitHub Actions / Azure DevOps | CI/CD integration | 700 |
| Flux / GitOps | Continuous compliance in GitOps workflows | 700 |
| Crossplane | Cloud-native infrastructure audit | 900 |
| Azure Defender / Policy | Cloud compliance automation | 900 |
This repository is part of a series of technical learning resources in the van Heemstra Systems GitHub organization:
- CycloneDX Official Site
- CycloneDX GitHub Organization
- OWASP Dependency-Track
- CISA SBOM Resources
- EU Cyber Resilience Act
- NIST SSDF (SP 800-218)
MIT License — see LICENSE for details.
Willem van Heemstra Cloud Engineer GitHub
Last Updated: March 2026