Upload your first SBOM
Ready to upload your first SBOM or not sure what an SBOM is? We've got you covered! We support both and SBOM formats.
Have a CycloneDX or SPDX SBOM?
Click Add SBOM > Upload SBOM.
If you are uploading a compressed SPDX SBOM file, follow these steps.
What SBOMs are supported?
Versions:
CycloneDX: 1.4, 1.5
SPDX: 2.2, 2.3
Formats:
CycloneDX: .json, .xml
Single SPDX files: .spdx, .json, .yaml, .xml
Compressed SPDX files: .gz, .tgz, .zip, .zst, .tzst
File size: 50MB
Where did my Add SBOM button go?
If you've already uploaded an SBOM, this button changes to Manage SBOM, providing you with additional actions. You can also check your SBOM file upload status from here.
In the modal that displays, click the Choose file button to upload your SBOM file, then click Upload SBOM.
Specify the product name and version, then click Upload SBOM.
Not ready to add your SBOM yet? No worries!
You can create each of your products and their respective versions, then add your SBOM at any time.
In the Select product drop-down, select the Create product option, specify the product name, then Save. You’ll now see your new product selected. You’ll now need to add a version to upload an SBOM to.
In the Select version drop-down, select the Create version option, specify the version, then Save. Click the Add SBOM drop-down button, then select the Upload SBOM option.
Once you’ve uploaded your SBOM, you will see all of the dependency components that are contained in that product display on the page. We’re already starting to match, drawing data from the NVD, including Package URLs (PURL) of Cargo, NPM, Nuget, or Pypi package manager), CPE strings, dependency component name, and alias matches.
How does matching work?
We do a lot of work behind the scenes so you can spend your valuable time on the vulnerabilities that matter most! Check out Match sources for more information on sources we consult, and Matching statuses and rules to understand how we determine match statuses and suggest possible matches.
You can edit any SBOM dependency component, add dependency components manually, and export your SBOM to share for compliance and regulatory purposes.
Upload a compressed SPDX file
Create a directory with the name of what you want to name your zip file.
Navigate into that directory, then create the subdirectory,
packages
, in this directory.Copy the individual SBOM files into this directory.
Zip (compress) the parent directory. Below are the commands for a few formats.
Upload this compressed file to Helm.
Create .tar.gz
Create .zip
Unable to find exact matches in the NVD?
If you have dependency components where our system is unable to find an exact match in the NVD, consult the appropriate section:
Not seeing your SBOM dependency components?
Have a different SBOM format or need help getting started?
Last updated