SBOM Vulnerability Scanner
Scan Software Bill of Materials (SBOM) files for vulnerabilities with batch processing.
Supported Formats
- CycloneDX: JSON format with components array containing PURL and version
- SPDX: JSON format with packages array and external references
What an SBOM is
A Software Bill of Materials lists components, versions, package URLs, licenses, and dependency metadata for an application or container image. Common formats include CycloneDX and SPDX.
Where SBOM scanning fits
SBOM vulnerability scanning is useful in CI/CD pipelines, release reviews, vendor intake, and incident response. It provides dependency visibility before a vulnerable component becomes a production emergency.
How to use results
Prioritize findings by severity, exploitability, exposure, and whether a fixed version is available. Combine SBOM results with runtime context; not every vulnerable component is reachable in every application.
Limitations
SBOM quality depends on how it was generated. Missing components, incorrect package URLs, private packages, patched downstream builds, and incomplete advisory data can all affect accuracy.
Related tools
Check one dependency with Package Vulnerability Checker, clean SBOM JSON with JSON Formatter, and compare file integrity with Hash Generator.