SBOM
Bring your software bill of materials onto the thread — import CycloneDX or SPDX, track components and vulnerabilities, and propagate suspect on new CVEs.
Import CycloneDX or SPDX and every component becomes a first-class item — linked to the risks it threatens and the tests that cover it, with CVE and CVSS tracking and suspect propagation when a new vulnerability lands. Your supply chain becomes part of the same connected record as everything else.
This section covers importing an SBOM, working with components and vulnerabilities, and governing your supply chain with license policies and suspect propagation.
What’s in this section
- Importing an SBOM — CycloneDX and SPDX
- Components — components as first-class items
- Vulnerabilities — CVE and CVSS tracking
- License policies & attestation — governing your supply chain
- Suspect propagation — reacting when a CVE lands
- Import & triage an SBOM — a step-by-step walkthrough from import to triaged vulnerabilities