Skip to main content

Generate a Software Bill of Materials (SBOM) for Application Profiles with the REST API

You can use the SCA Agent REST API to generate a software bill of materials (SBOM) based on your latest Veracode Software Composition Analysis upload scan results or agent-based scan results that you have linked to an application profile. The response includes an inventory of all components in your application in CycloneDX JSON or SPDX format.

Before you begin:

You must have:

  • A Veracode account with an SCA-Scan subscription and the Security Lead role

  • API credentials

  • HMAC authentication enabled

  • Completed at least one Veracode SCA scan in the last 13 months. The scan must be one of these scan types:

    • Policy scan
    • Sandbox scan that you have promoted to a policy scan
    • Agent-based scan that you have linked to the application for which you are creating the SBOM.

To complete this task:

  1. Use this command to return the application GUID from the Applications API:

    http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v1/applications?name={applicationName}"
  2. Use this command to return the SBOM containing your SCA upload scan Results:

    http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application"

    Set the type property to application to retrieve data from Veracode SCA policy scans or agent-based scans linked to your application profile. To generate an SBOM for agent-based scans, follow these instructions.

The API specification is available on SwaggerHub.