An SBOM lists every component in your software β the basis for answering 'are we affected?' when the next Log4Shell appears. Today we run dependency audit and can analyse an SBOM you provide; automated generation is on our roadmap.
Run a free domain scan All checks βToday we run dependency audit (pip-audit / npm audit) incl. transitive dependencies and can match an SBOM you provide against known vulnerabilities, so you can quickly answer whether a new CVE affects you. Automated SBOM generation (CycloneDX/SPDX) is planned (roadmap), not a feature we ship today.
When a critical vulnerability in a widely-used dependency is published, the first question is 'do we use it, and where?'. Without an SBOM that takes days. With one it takes minutes β and it's increasingly a supply-chain requirement.
What's the difference from dependency scanning?
Today it's effectively the same: we run dependency audit on your packages. A full SBOM table of contents (to answer FUTURE vulnerabilities) is on our roadmap.
What format?
SBOM export in CycloneDX/SPDX is on our roadmap. Today we deliver vulnerability analysis of your dependencies β and can analyse an SBOM you provide.
Does it run self-hosted?
Yes β the dependency audit can run in your environment.
Run a free scan or order a full Security Assessment β prioritised, not noise.
Run a free domain scan