SBOMVault.ai
Start Free
API Reference · v1.0.0

SBOMVault API

Programmatic access to SBOM generation, vulnerability scanning, remediation, and exports. Authenticate with a Bearer API key created under Settings → API Keys. Keys are scoped (sbom:read, sbom:write, scan:write, vex:write) and rate-limited per key.

Download OpenAPI specCreate an API key

Authentication

Authenticate every request with a Bearer API key created under Settings → API Keys. Keys are scoped (sbom:read, sbom:write, scan:write, vex:write) and rate-limited per key.

curl -X POST https://www.sbomvault.ai/api/sca/scan \
  -H "Authorization: Bearer sv_live_xxxxxxxx" \
  -F "repoUrl=https://github.com/your-org/your-repo"

Scanning

Generate SBOMs from source and check scan status

post/api/sca/scan

Generate an SBOM from source

Scan uploaded lockfiles/manifests or a public/token-accessible repo URL. Synchronous by default; pass `async=true` to enqueue and poll scan-status. Requires scope `scan:write`.

get/api/sca/scan-status/{id}

Poll an async scan

SBOMs

Upload and list SBOMs

post/api/sboms

Upload an SBOM

Upload a CycloneDX or SPDX document. Requires scope `sbom:write`.

Vulnerabilities

Exports, remediation, diff, blast radius

get/api/sboms/{id}/remediation

Prioritized upgrade plan

Returns ranked fix actions. `?format=markdown` returns a paste-ready PR/ticket body. Scope `sbom:read`.

post/api/sboms/{id}/fix-pr

Open a manifest fix PR

Open a GitHub pull request bumping a vulnerable DIRECT dependency to its fix version. Requires a stored GitHub token and scope `scan:write`. github.com repositories.

get/api/sboms/{id}/vulnerabilities/export

Export findings (SARIF or CSV)

get/api/sboms/{id}/vuln-diff

Diff findings vs a baseline

get/api/sboms/{id}/blast-radius

Dependency blast radius

VEX

Vulnerability Exploitability eXchange

get/api/sboms/{id}/vex

Export VEX (CycloneDX)

post/api/sboms/{id}/vex

Import VEX statements

Bulk-apply VEX analysis states from a CycloneDX document. Scope `vex:write`.

Quality

SBOM document quality scoring

get/api/sboms/{id}/quality

SBOM quality score

Document completeness grade (0–100, A–F) with per-category breakdown. Scope `sbom:read`.

Full machine-readable schema (request/response shapes, status codes) is in the OpenAPI document — import it into Postman, Insomnia, or your codegen toolchain.