SBOM import

Your supply chain comes in through the same Import Center as everything else. Importing a software bill of materials turns the components your software depends on into governed records on the thread.

CycloneDX and SPDX

SBOMs are imported from the two standard formats — CycloneDX and SPDX — so whatever your build tooling produces can be brought in directly. The importer reads the document and creates a component record for each entry, keyed by its package URL so it’s matched precisely.

Part of the import flow

SBOM import follows the same pattern as the rest of the Import Center: select the file, let it parse, preview what will be created, and commit. Once imported, the components are live records you can work with — not a file attached to the project.

Where it goes from here

What you do with components after import — tracking vulnerabilities, governing licenses, and reacting to new CVEs through suspect propagation — is covered in depth in the SBOM section. Re-importing an updated SBOM keeps the inventory in step with your builds. This article covers the bringing in; the SBOM section covers the managing.