See the dependencies hiding in your binaries
A compiled Go binary, a fat JAR, a container layer — each can bundle dozens of dependencies that never appear in a manifest. SBOMVault runs Syft in an isolated sandbox to extract them, turning an opaque artifact into a full SBOM you can scan for vulnerabilities.
From opaque artifact to scannable SBOM
Manifest scanning sees what you declared; binary analysis sees what actually shipped. SBOMVault does the extraction in its own sandbox, so you don't need a build environment or a Docker daemon.
01
Point at an artifact
Give SBOMVault a container image reference or a public HTTPS artifact URL — no Docker daemon, no upload.
02
Analyze in a sandbox
Syft runs inside an isolated Firecracker microVM, pulling the image (or downloading the artifact) and running its binary + language catalogers.
03
Extract embedded deps
Those catalogers find dependencies compiled into the artifact — JARs, Python wheels, Go modules, Rust crates, npm — that an OS-package or source scan never sees.
04
SBOM + vulnerabilities
The result is persisted as a normal SBOM in your estate and run through the same OSV + NVD/GHSA vulnerability matcher as everything else.
What it is — and what it isn't
Input is a container image reference (pulled straight from the registry — no local daemon) or a public HTTPS artifact URL(SSRF-guarded). Analysis runs asynchronously in a sandbox, so you submit the artifact and the SBOM lands in your estate when it's done — from the dashboard runner or the API.
Extraction is Syft's binary and language catalogers — best-effort by nature; some exotic binary formats extract only partially. Vulnerability scanning is notdone in the sandbox: the generated SBOM flows through SBOMVault's normal OSV + NVD/GHSA matcher and VaultScore, exactly like an uploaded or source-scanned SBOM.
Binary analysis is available on the Growth and Enterprise plans, since it runs on the sandbox worker substrate.
Scan what actually shipped
Point SBOMVault at an image or artifact and get back a full SBOM of the dependencies compiled inside it — ready for vulnerability matching, sharing, and compliance.
Frequently asked questions
- What is binary analysis?
- Extracting the dependencies embedded inside a compiled artifact — a container image, a fat JAR, a Go or Rust binary, a Python wheel — that never appear in a source manifest or lockfile. SBOMVault runs Syft in an isolated sandbox to catalog them and produces a normal SBOM you can scan.
- What can I point it at?
- A container image reference (pulled directly from the registry — no Docker daemon required) or a public HTTPS artifact URL (SSRF-guarded). Analysis is asynchronous: you submit it from the dashboard runner or the API and the resulting SBOM appears in your estate when the job completes.
- Does it scan for vulnerabilities too?
- Yes, but not inside the sandbox. The sandbox only extracts the SBOM with Syft; the generated SBOM then flows through SBOMVault’s normal OSV + NVD/GHSA matcher and VaultScore prioritization, the same as any other SBOM.
- Which plans include it?
- Binary analysis is available on the Growth and Enterprise plans, since it runs on the sandbox worker substrate. The output SBOM, vulnerability matching, and sharing all work like any other SBOM in your account.