Skip to main content

Create an SBOM for application profiles with the REST API

You can use the SCA Agent REST API to generate a software bill of materials (SBOM) based on your latest Veracode Software Composition Analysis upload scan results or agent-based scan results that you have linked to an application profile. The response includes an inventory of all components in your application in CycloneDX JSON or SPDX format.

Permissions and authentication

Before you can use all the endpoints of the SBOM APIs, you must have one of these accounts and the required roles:

  • An API service account with the Results API role
  • A user account with the Administrator, Executive, Reviewer, Sandbox User, Security Insights, or Security Lead role

This API uses API ID/key credentials and HMAC authentication to provide improved security. Before you can send requests, you must complete these configurations:

Ensure you access the APIs with the domain for your region

Create an SBOM

  1. Complete at least one of these Veracode SCA scan types in the last 13 months:

    • Policy scan
    • Sandbox scan that you have promoted to a policy scan
    • Agent-based scan that you have linked to the application for which you are creating the SBOM.

  2. Use this request to return the application GUID from the Applications API:

    http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v1/applications?name={applicationName}"

  3. Use this request to return the SBOM containing your SCA upload scan Results:

    http --auth-type=veracode_hmac "https://api.veracode.com/srcclr/sbom/v1/targets/{applicationGuid}/cyclonedx?type=application"

    Set the type property to application to retrieve data from Veracode SCA policy scans or agent-based scans linked to your application profile. To generate an SBOM for agent-based scans, follow these instructions.

SBOM API Specification

Specifications for the CycloneDx SBOM API and the SPDX SBOM API are available on SwaggerHub.