Table of Contents


A Software Bill of Materials (SBOM) is an inventory of software components and their ingredients see here, allowing organizations to determine when and where a component was created, the creator, license data and so on.

Access SBOM

  1. Before you can access the SBOM page and view its resources, you must subscribe to the SCA module. For more on SCA licensing, refer to Application Security Licenses.
  2. Select
    Application Security
    The SBOM displays an inventory of dependencies in your organization, including the following details:
    • Package
      : The name of the package.
    • Version
      : The version of the package.
    • License
      : The package license.
    • Found In
      : The repositories in which the package was detected. The number in the column represents the amount of repositories in which the package is found.
    • Vulnerabilities
      : The vulnerabilities detected in the package, with a link to a CVE database for further information. The number in the column represents the amount of multiple vulnerabilities detected in the package.
      For more details about the vulnerability click on the package in the inventory table. See below for more on dependency vulnerability details.
    • Highest Severity
      : The highest severity of a vulnerability found in a package when multiple vulnerabilities are detected, or the severity of a single vulnerability.
      Selecting a package from the inventory table opens the resource explorer displaying additional information about the entity.
    • The
      tab opens as the default view, providing metadata about the package including name, version, license, vulnerabilities and the amount of repositories in which the package is found. Selecting the amount of repositories opens the Repositories tab - see below for more
    • The
      tab includes a list of all vulnerabilities detected in the package, including their description, the affected version, the version fix, the CVE policy/vulnerability with a link to the database for more details, severity, CVE ID, CVSS score and vector, risk factors, the fix version, and whether the fix is private or public. To view the issue in more detail, select View Issue, which redirects to Projects.
    • The
      tab includes details of the repositories hosting the packages, their location and dependency tree, including both direct and indirect dependencies and the Supply Chain Graph

Supply Chain Graph

Supply Chain Graph
is a real-time attestation of the artifacts used to build, configure and invoke cloud infrastructure in your environment. It shows an opinionated supply chain attack surface of your repositories and describes how cloud infrastructure and applications may become compromised.
To access the
Supply Chain Graph
, select
> package in the inventory table >
tab >
For more information about the Supply Chain Graph, refer to Supply Chain Security.


You can apply the following filters to narrow down a search for a package. Repository: Filter packages by repository.
Only repositories that include packages are listed
  • *Ecosystem
    : Filter by the package manager hosting the dependency*
  • Images
    : Filter by the image hosting the dependency.
  • License
    : Filter by package license.
  • Vulnerabilities
    : Filter the vulnerabilities by CVE ID.
  • Severity
    : Filter the vulnerabilities by severity.
  • 'Show only vulnerable'
    : Toggle
    to display vulnerable packages only in the inventory table.

Generate SBOM

Generate repository SBOM data as a CycloneDX or CSV file: Select the menu in the top right >
Generate SBOM
> choose a repository, output and type of material >
The generated data will only include filtered data when applying filters.

Recommended For You