Either use curl to upload a local SBOM file (json) or drop the SBOM file below:

curl -T someSBOM.json

Drop your SBOM file (SPDX or CycloneDX JSON)

Visualize components, vulnerabilities, quality and risk. Full component and vulnerability search.


Generate a SBOM of this container image (public registry only)

Generate a SBOM from this public GitHub

Check out this SBOM example: API (Swagger API Description)

Use the all-in-one container image

Take advantage of the container image to generate, upload and share SBOMs (no local install required, no update required). Check out these examples:

Local repository using trivy

docker run -v $(pwd):/app codenotary/ trivyfs

Container image using trivy, i.e., Postgres

docker run codenotary/ trivyimage postgres

Container image using syft

docker run codenotary/ syftimage postgres

Container image using grype

docker run codenotary/ grypeimage postgres

Create an SBOM and share it

You can effortlessly create and share an SBOM using in one step. Check out these examples::

To retrieve the SBOM data, you can use the curl command as below using your unique URL:


Local repository using trivy

trivy fs . -f cyclonedx -q | curl -d @- -H "Content-Type: application/json"

Container image using trivy, i. e. Postgres

trivy image postgres -f cyclonedx --scanners vuln -q | curl -d @- -H "Content-Type: application/json"

Container image using syft

syft -o cyclonedx-json -q | curl -d @- -H "Content-Type: application/json"

Container image using grype

grype -o cyclonedx-json -q | curl -d @- -H "Content-Type: application/json"

Use GitHub dependency graph dependency graph

curl -sL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer YOUR-TOKEN" \ | curl -d @- -H "Content-Type: application/json" container and repository SBOM generation & sharing + vulnerability scan using Grype, Syft or Trivy provided as a GitHub Action

This GitHub Action integrates with to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the codenotary/ container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft:

To use this action, add the following to your .github/workflows directory in a file like sbom-analysis.yml:

name: "Generate and Upload SBOM"
on: [push, pull_request, workflow_dispatch]

  runs-on: ubuntu-latest
  name: "SBOM Generation"
    - name: Checkout Repository
      uses: actions/checkout@v4
    - name: Generate SBOM
      id: sbom_generation
      uses: codenotary/
        scan_type: 'grypefs'
        target: '.' # Assuming you want to scan the entire repository

    - name: Output SBOM URL
      run: echo "The SBOM can be found at $SBOM_SHARE_URL"

Open Source tool stack used

Open Source Tool Functionality Current Version
OWASP dep-scan Vulnerability scan, supports CycloneDX 1.6 5.3.3
trivy SBOM generation, vulnerability scan 0.50.1
grype SBOM generation, vulnerability scan 0.76
sbomqs SBOM quality Score 0.0.30

Acceptable Use Policy

Please do not post any information that may violate the law (login/password lists, email lists, personal information). IP addresses are logged, so you might get banned.

Life span of a single SBOM for anonymous user is one month and then it is deleted.

For registered users (click the GitHub logo top right) is unlimited.