Secu Platform Documentation

SBOM on-demand & Scoring

Already have an SBOM? Upload it directly to score its quality without running a full repository scan. The platform evaluates the document using the same quality scoring pipeline used during automated scans, producing a grade, a numeric score, and a category-level breakdown within seconds.

How it works

Navigate to SBOM → Scoring in the sidebar. The upload zone accepts CycloneDX and SPDX files in JSON format up to 50 MB. Drop or select a file, and the platform takes care of the rest:

  1. The file is validated — the platform checks the JSON structure and detects whether it is CycloneDX or SPDX.
  2. It is uploaded to secure object storage and a scoring job is dispatched automatically.
  3. The scoring engine evaluates identification, provenance, integrity, completeness, licensing, and structural conformance.
  4. Results appear in-place within seconds, showing the overall score (0–10), letter grade (A through F), component count, and SBOM format.

Uploads are stored in a dedicated table with full multi-tenant isolation, separate from repository scan reports.

Managing uploads

All previous uploads are listed below the upload zone in a sortable, filterable table. Each row shows the filename, status, score, grade, component count, file size, and upload date.

Sorting

Click any column header to sort ascending or descending — useful for finding the lowest-scoring uploads quickly.

Filtering

Filter by status (pending, scoring, completed, failed) or by grade (A through F) to narrow down the list.

Search

Type a filename into the search box to find a specific upload across all pages.

Pagination

Choose 10, 25, or 50 rows per page and navigate with the page buttons at the bottom of the table.

Completed uploads can be downloaded as the original SBOM JSON file. Any upload can be deleted permanently, which also removes the file from object storage.

API access

SBOM uploads are also available through the REST API, making it possible to integrate scoring into CI/CD pipelines or external tooling. Authenticate with an access key and send a multipart POST request:

curl -X POST https://secu.toupance.fr/api/v1/sbom/upload \ -H "X-Access-Key: sk_your_key_here" \ -F "file=@path/to/sbom.cdx.json"

The response includes an upload_id that can be used to poll for results:

curl https://secu.toupance.fr/api/v1/sbom-uploads/{upload_id}

Supported formats

The upload endpoint accepts two SBOM standards:

CycloneDX

JSON documents with a bomFormat field set to "CycloneDX". All specification versions are supported.

SPDX

JSON documents containing an spdxVersion field. SPDX 2.x documents are fully supported.