Quickstart process

When you create your account, you’ll automatically be enrolled in multi-factor authentication (MFA), also known as two-factor authentication (2FA). This means that you’ll need to provide a code from an authentication app. If you don’t already have an authentication application installed on your smartphone, you’ll need to choose one (e.g., Google Authenticator).

1. You’ll receive a welcome email, inviting you to sign in to your Helm account.

2. After signing in, you’ll be prompted to enable your MFA for security. At that time, you’ll be provided with recovery codes in case your phone is lost or stolen. Make sure to copy and paste these recovery codes into a safe place.

3. When you first sign in and until you’ve uploaded your first SBOM, you’ll see a get started page. Choose the path that best suits you. You can always access this page from the Help > Get started item in the sidebar.

Need to use SSO? Helm supports Single Sign-On (SSO) if you have an identity provider set up on your end. Contact us to enable this on our end.

• API: Use our Helm API to automate many tasks, such as creating product versions, uploading SBOMs, returning all vulnerabilities and generating reports, as well as returning only unmatched components or only CISA KEV vulnerabilities.

• GitHub: Integrate our GitHub action your CI/CD process or use it independently to automate product version creation and SBOM uploads.

• Microsoft Azure DevOps extension: Use our Azure DevOps extension to seamlessly integrate Helm into your CI/CD workflows, automating the creation of product versions and uploading of SBOMs directly from your Azure pipelines.

Coming soon

• AWS integration: Configure Amazon Web Services to automate SBOM uploads from S3 buckets and incorporate vulnerability data into your existing AWS workflows.

• Jira integration: Connect Helm with Jira to auto create, track, and update tickets for critical vulnerabilities, streamlining your remediation workflow.

Got an SBOM ready?

1. Upload your CycloneDX or SPDX SBOM file to Helm. Your component list should automatically refresh as your SBOM is being processed.

   1. Helm also supports Yocto Linux SBOMs.

2. If you don't see any components showing, check the SBOM file upload status.

Don’t have an SBOM yet?

• Contact us to use our SBOM generation tool.

• Generate a CycloneDX SBOM or SPDX SBOM using our open-source tool suggestions.

• Manually create your SBOM in Helm.

• If you’re still unsure how to get started, contact us so we can assist you.

Once you’ve uploaded your SBOM, Helm will try to match your components to the NVD (National Vulnerability Database). Only components that are matched to the NVD will show vulnerabilities. You can also use our API to return unmatched components.

Review match statuses

To view vulnerabilities for components that are Matched to NVD, click Vulnerabilities in the sidebar. This will display all vulnerabilities for these components.

To resolve other match statuses, click each status badge to start the resolution process.

1. Filter on matching statuses

2. Resolve Select match statuses

3. Resolve Fix version statuses

4. Resolve Contact us statuses

5. For components that have a Matched status with a package manager badge, but no NVD badge, this could indicate that there are no published vulnerabilities for those components. However, components can also be named differently in the NVD, so you should check the NVD to see if there actually is a match.

6. Handle unmatched components: Try to resolve any Not found statuses, as this indicates Helm was unable to find a match in the NVD.

7. When you determine the appropriate matches, create an alias for each component so that these will be auto-matched for all future SBOMs.

Automatic enrichment

• If we identify inaccurate CPEs or PURLs in your SBOM, Helm will automatically attempt to provide an enriched CPE or PURL that matches to the correct software. You can export this enriched SBOM or your original SBOM.

• Helm will automatically update vulnerabilities with severity, exploitability, and source information.

• Helm will automatically update components with source information.

• For Windows vulnerabilities, Helm provides Windows KB patch recommendations.

Manual enrichment

• Reload any component to automatically add missing licenses for any components that do not already have associated licenses. Helm does not overwrite existing licenses.

Set up notifications and tracking

1. Enable email notifications for new vulnerabilities. You can receive daily, weekly, and/or monthly updates.

1. Enable the Date updated column to keep track of updated vulnerabilities. You can filter on date range to view these updates.

Prioritize and rescore vulnerabilities

1. Bulk rescore all vulnerabilities across your selected product version. If desired, you can also rescore individual vulnerabilities.

2. Filter on most impactful vulnerabilities.

3. Refer to Identify and prioritize exploitable vulnerabilities for more info.

Get comprehensive recommendations

Select one or more vulnerabilities in your list, then click the Get AI guidance action to receive comprehensive mitigation strategies, upgrade recommendations, and actionable remediation steps with supporting sources.

Check affected tech stacks

Our AI automatically detects affected technology stacks for each vulnerability (e.g., Windows, Redhat, SQL, Git, GRPC, WordPress, and others), providing detailed recommendations for each stack, along with supporting sources.

1. Click the Columns link above the table to enable the tech stacks column to take advantage of these insights.

2. Click each of these tags to open the vulnerability details modal.

3. Scroll down to the AI recommendations section to access detailed information about affected tech stacks, upgrade recommendations, and short-term mitigations, all backed by source documentation.

You can remediate with CycloneDX and/or CycloneDX VEX statuses.

• Bulk remediate vulnerabilities within a product, across products, or target a particular component's vulnerabilities with the click of a button, enabling you to speed triage and ensure remediation consistency of particular vulnerabilities across your product portfolio.

• If desired, individually remediate vulnerabilities.

1. If you already know which Windows KBs to add to your digital product, you can bulk patch by adding these KBs to the product version.

2. To patch individual vulnerabilities, filter KB patch to Patch available. You can view these across all products or select a product version.

3. Patch individual vulnerabilities.

Quickly identify threats and track your progress on your Dashboard, accessible via the Home icon on the sidebar.

• Quickly prioritize and remediate threats to your most impacted products and components

• Zero in on critical vulnerabilities

• Track progress on vulnerabilities you still need to remediate

You can export reports for a product version or select multiple product versions to get a consolidated report.

1. Export your expert-crafted FDA SBOM to ensure a smooth FDA submission.

2. Export VEX and VDR reports.

3. Export enriched SBOM or original SBOM.

Check whether a particular vulnerability impacts your products, and if so, which products you'll need to focus on. Just enter the vulnerability ID in the global search bar at the top of any page.

Check whether your products contain a particular component, and if so, which ones. Just enter the component name in the global search bar at the top of any page.