Quickstart process

When you create your account, you’ll automatically be enrolled in multi-factor authentication (MFA), also known as two-factor authentication (2FA). This means that you’ll need to provide a code from an authentication app. If you don’t already have an authentication application installed on your smartphone, you’ll need to choose one (e.g., Google Authenticator).

1. You’ll receive a welcome email, inviting you to sign in to your Helm account.

2. After signing in, you’ll be prompted to enable your MFA for security. At that time, you’ll be provided with recovery codes in case your phone is lost or stolen. Make sure to copy and paste these recovery codes into a safe place.

3. When you first sign in and until you’ve uploaded your first SBOM, you’ll see a get started prompt. Choose the path that best suits you. If you accidentally closed that get started modal, don’t worry. You can always access it from Help item in the sidebar.

Need to use SSO? Helm supports Single Sign-On (SSO) if you have an identity provider set up on your end. Contact us to enable this on our end.

• Got an SBOM ready? Upload your CycloneDX or SPDX SBOM file to Helm.

Don’t have an SBOM yet? We've got you covered:

• Contact us to use our SBOM generation tool.

• Generate a CycloneDX SBOM or SPDX SBOM using our open-source tool suggestions.

• Manually create your SBOM.

• If you’re still unsure how to get started, contact us so we can assist you.

Your component list should automatically refresh as your SBOM is being processed. If you don't see any components showing, check the SBOM file upload status.

Once you’ve uploaded your SBOM, Helm will try to match your components to the NVD (National Vulnerability Database). Only components that are matched to the NVD will show vulnerabilities.

To view vulnerabilities for components that are Matched to NVD, click Vulnerabilities in the sidebar. This will display all vulnerabilities for these components.

To resolve other match statuses, click each status badge to start the resolution process.

1. Resolve Select match statuses

2. Resolve Fix version statuses

3. Resolve Contact us statuses

4. For components that have a Matched status with a package manager badge, but no NVD badge, this could indicate that there are no published vulnerabilities for those components. However, components can also be named differently in the NVD, so you should check the NVD to see if there actually is a match.

5. Try to resolve any Not found statuses, as this indicates Helm was unable to find a match in the NVD.

6. When you determine the appropriate matches, create an alias for each component so that these will be auto-matched for all future SBOMs.

There are many ways that Helm auto-enriches your data, including:

• If we identify inaccurate CPEs or PURLs in your SBOM, Helm will automatically attempt to provide an enriched CPE or PURL that matches to the correct software. You can export this enriched SBOM or your original SBOM.

• Helm will automatically update vulnerabilities with severity, exploitability, and source information.

• Helm will automatically update components with source information.

• For Windows vulnerabilities, Helm provides Windows KB patch recommendations.

You can also prompt Helm to auto-enrich information:

1. Create rules to auto-update support level and EOS/EOL across all products.

2. Reload any component to automatically add missing licenses for any components that do not already have associated licenses. Helm does not overwrite existing licenses.

1. Enable email notifications for new vulnerabilities. You can receive daily, weekly, and/or monthly updates.

2. Bulk rescore all vulnerabilities across your selected product version. If desired, you can also rescore individual vulnerabilities.

3. Filter on most impactful vulnerabilities.

4. Enable the Date updated column to keep track of updated vulnerabilities. You can filter on date range to view these updates.

1. If you already know which Windows KBs to add to your digital product, you can bulk patch by adding these KBs to the product version.

2. To patch individual vulnerabilities, filter KB patch to Patch available. You can view these across all products or select a product version.

3. Patch individual vulnerabilities.

You can remediate with CycloneDX and/or CycloneDX VEX statuses.

1. Bulk remediate vulnerabilities within a product, across products, or target a particular component's vulnerabilities with the click of a button, enabling you to speed triage and ensure remediation consistency of particular vulnerabilities across your product portfolio.

2. If desired, individually remediate vulnerabilities.

Quickly identify threats and track your progress on your Dashboard, accessible via the Home icon on the sidebar.

• Quickly prioritize and remediate threats to your most impacted products and components

• Zero in on critical vulnerabilities

• Track progress on vulnerabilities you still need to remediate

You can export reports for a product version or select multiple product versions to get a consolidated report.

1. Export your expert-crafted FDA SBOM to ensure a smooth FDA submission.

2. Export VEX and VDR reports.

3. Export enriched SBOM or original SBOM.

• API: Use our Helm API to automate many tasks, such as creating product versions, uploading SBOMs, returning all vulnerabilities and generating reports, as well as returning only unmatched components or only CISA KEV vulnerabilities.

• GitHub: Integrate our GitHub action your CI/CD process or use it independently to automate product version creation and SBOM uploads.

Check whether a particular vulnerability impacts your products, and if so, which products you'll need to focus on. Just enter the vulnerability ID in the global search bar at the top of any page.

Check whether your products contain a particular component, and if so, which ones. Just enter the component name in the global search bar at the top of any page.