How do I generate my first SBOM?

Connect a Git repository and SBOMVault generates a CycloneDX or SPDX SBOM in seconds, or upload an existing one. No lockfile is required to start — we resolve the dependency graph across 16 ecosystems plus OS packages.

Which SBOM formats can I import?

SPDX (JSON, YAML, Tag-Value, RDF/XML, including SPDX 3.0), CycloneDX (JSON, XML, Protobuf), and SWID tags. Imported SBOMs are normalized into the same inventory as ones SBOMVault generates.

Can I import an SBOM a supplier sent me?

Yes. Upload the file directly and it is parsed and normalized into your inventory. For supplier SBOMs at scale, the managed vendor intake portal collects, consolidates, and ingests their SBOMs (and their OpenVEX/CSAF VEX statements) automatically.

Do you scan container images and private registries?

Yes. SBOMVault resolves container images down to OS packages, including from private registries — Amazon ECR, Google GCR/Artifact Registry, Azure ACR, Harbor, Quay, and Nexus.

Step 1 — Import

Import any SBOM — from any source, in any format.

Generate one from your code in seconds, or bring in an SBOM you already have. Either way it lands in the same normalized inventory, ready to manage and share.

Two ways in

Generate it, or upload it.

Generate from your code

Point SBOMVault at a Git repository, a lockfile, or a container image and it resolves the full dependency graph — direct and transitive — emitting a CycloneDX or SPDX SBOM with integrity hashes. No lockfile required to start.

Upload what you already have

Already producing SBOMs in CI, or received one from a supplier? Drag in the file. We parse and normalize it into the same inventory, so generated and uploaded SBOMs are managed identically.

Every standard, read and written.

Import in any major format; export in CycloneDX or SPDX. No conversion gymnastics, no lock-in to a proprietary schema.

CycloneDX

JSON, XML, and Protobuf

SPDX

JSON, YAML, Tag-Value, RDF/XML — including SPDX 3.0

SWID

Software Identification tags

Pull from wherever your software lives.

Git repositories

GitHub and GitLab, including self-hosted and GitHub Enterprise. Connect once and re-scan on every push.

Container images

Public and private registries — Amazon ECR, Google GCR/Artifact Registry, Azure ACR, Harbor, Quay, and Nexus — resolved down to OS packages.

Lockfiles & manifests

package-lock.json, yarn.lock, pnpm-lock, go.sum, Cargo.lock, requirements.txt, pom.xml, and more — across 16 ecosystems.

Compiled artifacts

Binary analysis extracts the dependencies embedded inside built artifacts and images, where no manifest exists.

Existing SBOM files

Upload SPDX, CycloneDX, or SWID directly — yours or a supplier’s — and we normalize it into your inventory.

REST API & CI

Push SBOMs programmatically with scoped, rate-limited keys, or generate them in-pipeline with the SBOMVault CI actions.

16 ecosystems + OS packages

One graph, across every package manager you ship.

npmPyPIMavenGoRubyGemsCargoComposerNuGetPub (Dart)HexConanSwift PMCocoaPodsCondaHackageOS packages

The workflow

01You are here

Import

Any source or format, 16 ecosystems.

Manage

One inventory, prioritized risk, monitoring.

Go to Manage →

Trust Portal links & org-to-org exchange.

Go to Share →

Goes deeperBinary Analysis·Integrations·Continuous Monitoring

Frequently asked questions

How do I generate my first SBOM?: Connect a Git repository and SBOMVault generates a CycloneDX or SPDX SBOM in seconds, or upload an existing one. No lockfile is required to start — we resolve the dependency graph across 16 ecosystems plus OS packages.
Which SBOM formats can I import?: SPDX (JSON, YAML, Tag-Value, RDF/XML, including SPDX 3.0), CycloneDX (JSON, XML, Protobuf), and SWID tags. Imported SBOMs are normalized into the same inventory as ones SBOMVault generates.
Can I import an SBOM a supplier sent me?: Yes. Upload the file directly and it is parsed and normalized into your inventory. For supplier SBOMs at scale, the managed vendor intake portal collects, consolidates, and ingests their SBOMs (and their OpenVEX/CSAF VEX statements) automatically.
Do you scan container images and private registries?: Yes. SBOMVault resolves container images down to OS packages, including from private registries — Amazon ECR, Google GCR/Artifact Registry, Azure ACR, Harbor, Quay, and Nexus.