Security check

SBOM: a table of contents for your software

An SBOM lists every component in your software β€” the basis for answering 'are we affected?' when the next Log4Shell appears. Today we run dependency audit and can analyse an SBOM you provide; automated generation is on our roadmap.

Run a free domain scan All checks β†’
Relates to: NIS2 Β· art. 21 β€” supply chain ISO 27001 Β· A.8.8 US EO 14028 Β· SBOM

What we check

Today we run dependency audit (pip-audit / npm audit) incl. transitive dependencies and can match an SBOM you provide against known vulnerabilities, so you can quickly answer whether a new CVE affects you. Automated SBOM generation (CycloneDX/SPDX) is planned (roadmap), not a feature we ship today.

Why it matters

When a critical vulnerability in a widely-used dependency is published, the first question is 'do we use it, and where?'. Without an SBOM that takes days. With one it takes minutes β€” and it's increasingly a supply-chain requirement.

How Security Guru tests it

Common mistakes

  • No SBOM at all β†’ can't answer 'are we affected?'
  • SBOM covering only direct, not transitive dependencies
  • Static SBOM never updated on new releases
  • No link between SBOM and vulnerability data

What you get in the report

  • Dependency vulnerabilities per project (incl. transitive)
  • Components with known vulnerabilities flagged
  • Supply-chain risks ranked
  • Mapping to NIS2 supply chain / ISO A.8.8

FAQ

What's the difference from dependency scanning?

Today it's effectively the same: we run dependency audit on your packages. A full SBOM table of contents (to answer FUTURE vulnerabilities) is on our roadmap.

What format?

SBOM export in CycloneDX/SPDX is on our roadmap. Today we deliver vulnerability analysis of your dependencies β€” and can analyse an SBOM you provide.

Does it run self-hosted?

Yes β€” the dependency audit can run in your environment.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan