Dashboard View
The SBOM tab in the dashboard turns the raw CycloneDX document into an interactive, searchable inventory of every component in your repository — enriched with trust scores, vulnerability data, and licence information.
Summary cards
At the top of the tab, metric cards provide a quick overview of the SBOM:
SBOM quality
The quality score and letter grade, colour-coded from A (green) to F (red).
Total components
The number of packages detected across all ecosystems.
Direct dependencies
How many components are direct dependencies versus transitive ones pulled in further down the tree.
Ecosystems and licences
The number of distinct package types (npm, pypi, maven, etc.) and unique SPDX licence identifiers found.
Component table
The main table displays one row per component with the following columns:
Component name
Package name with its PURL identifier. Direct dependencies are marked with a badge and show a colour-coded vulnerability count that links directly to the Vulnerabilities tab.
Type and version
The package ecosystem (npm, pypi, maven, etc.) and the installed version, both sortable and filterable.
Trust score
A 0-10 score with letter grade from the dependency trust service. Hovering reveals the full check breakdown — passed, warning, and failed checks with individual scores.
Licences
SPDX licence identifiers for each component. Packages with multiple licences show a summary with the full list on hover.
Each row also includes an actions menu for copying the component name or PURL, and for opening the package on its registry (npm, PyPI, Maven Central).
Filtering and search
The table supports real-time text search by component name alongside multi-select filters for package type, licence, and trust score grade. A dedicated toggle lets you narrow the view to direct dependencies only — useful for focusing on the packages your code imports directly.
Column visibility is configurable, and the raw CycloneDX JSON can be downloaded directly from the tab for offline analysis or compliance submissions.