Check your software bill of materials (SBOM) for packages with security vulnerabilities and legal issues. Automate and integrate your entire SBOM management process into developer workflows with Snyk.
Sign up for free to unlock the full power of Snyk SBOM security check, no credit card required.
Maintaining an up-to-date SBOM is crucial for keeping up with rapid software development, in which components and their versions change swiftly.
As a developer who uses open source software libraries, you may encounter licensing issues that may require moving to a different library.
SBOMs are an important part of a 2022 Executive Order on software supply chain security — meaning SBOM security is going to stay in focus in the coming years.
A software bill of materials (SBOM) is a complete list of all software components used across an organization. The software bill of materials list is made up of third-party open source libraries, vendor-provided packages and first-party artifacts built by the organization.
An SBOM is essentially an inventory of all of the software components you utilize in your applications. Along with proper security tools (like software composition analysis), an SBOM helps provide clear visibility into the license and security risks associated with software you are building or consuming. Maintaining an up-to-date SBOM format compliant software bill of materials is crucial to keep up with rapid software development, in which components and their versions are swiftly changing.
Snyk’s SBOM Security Checker enables you to upload Software Bill of Materials (SBOM) files and scan them for known security vulnerabilities and legal issues, helping you stay compliant and secure within your development workflows.
Snyk’s SBOM Checker helps you reduce technical debt, boost compliance, and accelerate development by continuously monitoring evolving dependencies for vulnerabilities and licensing risks.
Absolutely. SBOM generation and scanning can be automated with the Snyk CLI across your development lifecycle—making SBOMs part of CI/CD pipelines and developer workflows with minimal overhead.
Although the SBOM Checker itself scans for vulnerabilities and licensing issues, it benefits from Snyk’s broader platform, powered by the AI Trust Platform, which enhances automation, intelligence, and developer-centered insights across the entire scanning workflow.
Snyk supports both CycloneDX and SPDX SBOM standards. You can generate and test SBOMs in these formats to integrate seamlessly with your security processes.
CycloneDX and SPDX are the two most used SBOM standards in security. You should choose which one to use based on your project's needs, and you can even choose to implement both. It’s unlikely that we will have a single, set standard for SBOMs anytime soon, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and others stating that they expect multiple formats to be around for some time.
OWASP CycloneDX is a software bill of material (SBOM) standard designed for application security contexts and supply chain component analysis, providing an inventory of all first-party and third-party software components. The specification is rich and extends beyond software libraries, to standards such as software as a service bill of materials (SaaSBOM), Vulnerability Exploitability Exchange (VEX), and more. The standard is an Apache 2.0 licensed open source project and is open for collaboration at the following open source GitHub repository: https://github.com/CycloneDX/specification.
SPDX from The Linux Foundation is another standard for SBOMs that allows the expression of components, licenses, copyrights, security references, and other metadata relating to software. SPDX aims to reduce redundant work by making it easy to share important data in a common format, leading to improved compliance, security, and dependability. SPDX is a grassroots open source project hosted by the Linux Foundation. The full SPDX specification is available here, as well as the SPDX Github repository.