Create an SBOM for agent-based projects with the REST API

You can use the SCA REST API to generate a software bill of materials (SBOM) based on your latest Veracode Software Composition Analysis agent-based scan results. The response includes an inventory of all components in your project in CycloneDX JSON or SPDX format.

Permissions and authentication

Before you can use all the endpoints of the SBOM APIs, you must have one of these account types:

• An API service account with the Results API role.
• A user account with the Administrator, Executive, Reviewer, Sandbox User, Security Insights, or Security Lead role.

This API uses API ID/key credentials and HMAC authentication to provide improved security. Before you can send requests, you must complete these configurations:

• Veracode API credentials
• HMAC authentication

Ensure you access the APIs with the domain for your region.

Create an SBOM

1. Complete at least one Veracode SCA agent-based scan in the last 13 months.

2. Use this request to return the list of GUIDs for your workspaces:

   http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/v3/workspaces"

3. Use this request to return the list of project GUIDs for the workspace:

   http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/v3/workspaces/{workspaceGuid}/projects?type=agent"

4. Use this request to return the SBOM containing the SCA agent-based scan results for your project:

   http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{projectGuid}/cyclonedx?type=agent"

   Set the type property to agent to retrieve data from Veracode SCA agent-based scans. To generate an SBOM for upload scans or for agent-based scans linked to an application profile, follow these instructions.

SBOM API Specification

Specifications for the CycloneDx SBOM API and the SPDX SBOM API are available on SwaggerHub.