Generate a Software Bill of Materials (SBOM) for Application Profiles with the REST API

Veracode APIs

You can use the SCA Agent REST API to generate a software bill of materials (SBOM) based on your latest Veracode Software Composition Analysis upload scan results or agent-based scan results that you have linked to an application profile. The response includes an inventory of all components in your application in CycloneDX JSON format.

Before You Begin

You must have:

  • A Veracode account with an SCA-Scan subscription and the Security Lead role
  • API credentials
  • HMAC authentication enabled
  • Completed at least one Veracode SCA scan in the last 13 months. The scan must be one of these scan types:

    • Policy scan
    • Sandbox scan that you have promoted to a policy scan
    • Agent-based scan that you have linked to the application for which you are creating the SBOM.


  1. Use this command to return the application GUID from the Applications API:

    http --auth-type=veracode_hmac "{applicationName}"
  2. Use this command to return the SBOM containing your SCA upload scan results:

    http --auth-type=veracode_hmac "{applicationGuid}/cyclonedx?type=application"

    Set the type property to application to retrieve data from Veracode SCA policy scans or agent-based scans linked to your application profile. To generate an SBOM for agent-based scans, follow these instructions.

Additional documentation is available on SwaggerHub.