SBOM Analysis & Vulnerability Management Platform

Trusted by hundreds of organizations to automate SBOM creation, vulnerability scanning, and supply chain security

Used by Fortune 500 companies for automated GitBOM creation and continuous vulnerability monitoring
1M+ SBOMs Analyzed
500+ Enterprise Clients
50K+ CVEs Tracked Daily
99.9% Uptime SLA

Upload & Analyze SBOMs

Quick upload via command line or drag & drop

curl -T sbom.json https://sbom.sh

Drop SBOM File (SPDX or CycloneDX JSON)

Instant vulnerability analysis, component search, and quality scoring

OR

Container Image SBOM Generation

Analyze any public container registry image

GitHub Repository Analysis

Generate SBOM from public repositories

Live SBOM Analysis Example:

https://sbom.sh/02ab539c-bd02-4a9b-a65f-f5f76928db59

Platform Capabilities

Automated SBOM Generation
Generate SBOMs from container images and Git repositories. Supports SPDX, CycloneDX, and SWID formats with full dependency graph analysis.
Multi-Scanner Integration
Integrated with Trivy, Grype, and OSV for comprehensive vulnerability detection. Real-time CVE monitoring with severity scoring.
SBOM Quality Metrics
Automated SBOM quality scoring based on NTIA minimum elements. Track completeness, accuracy, and compliance metrics.
API-First Architecture
RESTful API with OpenAPI specification. Webhook support for vulnerability alerts and continuous monitoring.

Why Teams Choose SBOM.sh

Multi-Scanner Vulnerability Detection
Leverage Trivy, Grype, and OWASP dep-scan for comprehensive vulnerability coverage. EPSS scoring helps prioritize critical risks.
SBOM Quality Scoring
Automated quality assessment against NTIA minimum elements. Track structural, semantic, and sharing quality metrics.
Easy Sharing & Collaboration
Generate badges for GitHub/DockerHub, email SBOMs securely, export to PDF, and create signed downloads.
CI/CD Ready
GitHub Actions, REST API, and Docker integration. Automate SBOM generation and vulnerability scanning in your pipeline.
Analytics & Insights
Track top vulnerabilities, component usage trends, and security metrics across your entire software portfolio.
Real-time Processing
Instant SBOM analysis with persistent URLs. Weekly automated rescans keep vulnerability data current.

Trusted by Industry Leaders

Hundreds of organizations rely on SBOM.sh for automated supply chain security

Fortune 500 Companies Government Agencies Tech Startups

Create an SBOM and share it

You can effortlessly create and share an SBOM using SBOM.sh in one step. Check out these examples::

Container image using trivy, i. e. Postgres

trivy image postgres -f cyclonedx --scanners vuln -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Container image using syft

syft registry:docker.io/postgres -o cyclonedx-json -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Container image using grype

grype registry:docker.io/postgres -o cyclonedx-json -q | curl -d @- https://sbom.sh -H "Content-Type: application/json"

Use GitHub dependency graph dependency graph

curl -sL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer YOUR-TOKEN" \
https://api.github.com/repos/codenotary/immudb/dependency-graph/sbom | curl -d @- https://sbom.sh -H "Content-Type: application/json"

SBOM.sh container and repository SBOM generation & sharing + vulnerability scan using Grype, Syft or Trivy provided as a GitHub Action

This GitHub Action integrates with sbom.sh to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the codenotary/sbom.sh container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft:

To use this action, add the following to your .github/workflows directory in a file like sbom-analysis.yml:

                    
name: "Generate and Upload SBOM"
on: [push, pull_request, workflow_dispatch]

jobs:
generate_sbom:
  runs-on: ubuntu-latest
  name: "SBOM Generation"
  steps:
    - name: Checkout Repository
      uses: actions/checkout@v4
    
    - name: Generate SBOM
      id: sbom_generation
      uses: codenotary/sbom.sh-create@main
      with:
        scan_type: 'grypefs'
        target: '.' # Assuming you want to scan the entire repository

    - name: Output SBOM URL
      run: echo "The SBOM can be found at $SBOM_SHARE_URL"

Use the all-in-one SBOM.sh container image

Take advantage of the sbom.sh container image to generate, upload and share SBOMs (no local install required, no update required). Check out these examples:

Local repository using trivy

docker run -v $(pwd):/app codenotary/sbom.sh trivyfs

Container image using trivy, i.e., Postgres

docker run codenotary/sbom.sh trivyimage postgres

Container image using grype

docker run codenotary/sbom.sh grypeimage postgres