SBOM storage is a retention problem, not a checkbox

Security Automation for Pipelines asks participants to define retention, access, and diff review expectations before wiring generators into CI. That order matters: tools are easy; contracts are hard.

We walk through linking SBOM revisions to released images and how to prune old artifacts without breaking audit trails. The legal and operational nuances vary by jurisdiction; we flag where counsel should review.

Participants also practice triage language developers find fair: severity bands, SLAs for fixes, and when issues become release blockers.

The outcome is an SBOM flow that survives the first real incident review instead of collapsing under rhetorical questions.