Supply chain management speaks to improving security in the software systems we create. At the core of these discussions is the generation of SBOMs and CVE reports. In monolithic CI/CD, application SBOMs and CVE reports are created at the CI build step. But how do we manage SBOMs in a microservice environment without a monolithic build? This breakout session with Tracy Ragan of DeployHub will review the supply chain complexities in a microservice architecture with hundreds of run-time dependencies, each having its own SBOM and CVE reports. It will introduce Ortelius, an open-source unified supply chain catalog incubating at the Continuous Delivery Foundation, which aggregates SBOM and CVE microservice level data to the consuming ‘logical’ applications. Attendees will learn how to quickly produce application-level supply chain reports that meet new federal security requirements, even in complex cloud-native environments built into the CD pipeline process.