Either use curl to upload a local SBOM file (json) or drop the SBOM file below:

curl -T someSBOM.json

Drop your SBOM file (SPDX or CycloneDX JSON)

Visualize components, vulnerabilities, quality and risk. Full component and vulnerability search.


Generate a SBOM of this container image (public Dockerhub registry only)

Generate a SBOM from this public GitHub

Check out this SBOM example: API (Swagger API Description)

Use the all-in-one container image

Take advantage of the container image to generate, upload and share SBOMs (no local install required, no update required). Check out these examples:

Local repository using trivy

docker run -v $(pwd):/app codenotary/ trivyfs

Container image using trivy, i.e., Postgres

docker run codenotary/ trivyimage postgres

Container image using syft

docker run codenotary/ syftimage postgres

Container image using grype

docker run codenotary/ grypeimage postgres

Create an SBOM and share it

You can effortlessly create and share an SBOM using in one step. Check out these examples::

To retrieve the SBOM data, you can use the curl command as below using your unique URL:


Local repository using trivy

trivy fs . -f cyclonedx -q | curl -d @- -H "Content-Type: application/json"

Container image using trivy, i. e. Postgres

trivy image postgres -f cyclonedx --scanners vuln -q | curl -d @- -H "Content-Type: application/json"

Container image using syft

syft -o cyclonedx-json -q | curl -d @- -H "Content-Type: application/json"

Container image using grype

grype -o cyclonedx-json -q | curl -d @- -H "Content-Type: application/json"

Use GitHub dependency graph dependency graph

curl -sL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer YOUR-TOKEN" \ | curl -d @- -H "Content-Type: application/json" container and repository SBOM generation & sharing + vulnerability scan using Grype, Syft or Trivy provided as a GitHub Action

This GitHub Action integrates with to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the codenotary/ container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft:

To use this action, add the following to your .github/workflows directory in a file like sbom-analysis.yml:

name: "Generate and Upload SBOM"
on: [push, pull_request, workflow_dispatch]

  runs-on: ubuntu-latest
  name: "SBOM Generation"
    - name: Checkout Repository
      uses: actions/checkout@v4
    - name: Generate SBOM
      id: sbom_generation
      uses: codenotary/
        scan_type: 'grypefs'
        target: '.' # Assuming you want to scan the entire repository

    - name: Output SBOM URL
      run: echo "The SBOM can be found at $SBOM_SHARE_URL"

Acceptable Use Policy

Please do not post any information that may violate the law (login/password lists, email lists, personal information). IP addresses are logged, so you might get banned.

Life span of a single SBOM for anonymous user is one month and then it is deleted.

For registered users (click the GitHub logo top right) is currently not limited.