Upload a CycloneDX or SPDX JSON file (max 5MB)
Supported Formats
  • CycloneDX: JSON format with components array containing PURL and version
  • SPDX: JSON format with packages array and external references

What an SBOM is

A Software Bill of Materials lists components, versions, package URLs, licenses, and dependency metadata for an application or container image. Common formats include CycloneDX and SPDX.

Where SBOM scanning fits

SBOM vulnerability scanning is useful in CI/CD pipelines, release reviews, vendor intake, and incident response. It provides dependency visibility before a vulnerable component becomes a production emergency.

How to use results

Prioritize findings by severity, exploitability, exposure, and whether a fixed version is available. Combine SBOM results with runtime context; not every vulnerable component is reachable in every application.

Limitations

SBOM quality depends on how it was generated. Missing components, incorrect package URLs, private packages, patched downstream builds, and incomplete advisory data can all affect accuracy.

Related tools

Check one dependency with Package Vulnerability Checker, clean SBOM JSON with JSON Formatter, and compare file integrity with Hash Generator.