SBOM Generation
The SBOM scanner generates a complete Software Bill of Materials for every analysed repository. It inventories all direct and transitive dependencies across language ecosystems, assigns a quality score to the generated document, and stores the result as a downloadable artefact.
What it produces
The scanner outputs a CycloneDX JSON document that lists every software component detected in the repository. For each component, the SBOM records the package name, version, ecosystem, licence information, and a Package URL (PURL) for unique identification.
The generated SBOM is made available for download through the dashboard and the API. It serves as the input for downstream vulnerability analysis and dependency trust scoring.
Supported ecosystems
The scanner analyses manifest and lockfiles from all major package managers:
JavaScript / TypeScript
package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Python
requirements.txt, Pipfile, poetry.lock, setup.py, pyproject.toml
Java
pom.xml, build.gradle, JAR files
Go
go.mod, go.sum, vendored dependencies
Rust
Cargo.toml, Cargo.lock
Ruby
Gemfile, Gemfile.lock
PHP
composer.json, composer.lock
C# / .NET
.csproj, packages.config, paket.lock
Containers
Dockerfiles and container layers including system packages (APT, YUM, APK)
How it works
The scanner downloads the repository archive, extracts it, and runs a universal component detection pass. It identifies all manifest and lockfiles present, resolves dependency trees, and compiles the result into a single CycloneDX JSON document.
The generated SBOM is uploaded to the same storage bucket as the source archive, then scored for quality. Once both steps complete, the scanner dispatches downstream jobs for vulnerability analysis and dependency trust scoring.
Source code is deleted from the worker immediately after processing. The SBOM itself is retained as a permanent artefact for future reference and compliance purposes.