Skip to main content

Scanning an SBOM with upload scanning

Prerequisites

  • SBOM file names must be in one of the following formats:

    • CycloneDX (CDX) format with file name ending in bom.json
    • Software Package Data Exchange (SPDX) format with file name ending in spdx.json
  • Supported SBOM versions:

Scanning an SBOM with an application

The SCA upload scan process automatically includes SBOM results alongside those generated from uploaded lock files.

Scanning SBOM files only

To perform an SBOM-only scan, include a valid, supported artifact that Veracode Static Analysis can scan alongside your SBOM files. Zip the SBOM file and the artifact together into a single file, and then upload it for scanning. This is required due to the tight integration between SCA upload scanning and static scanning.

Important

You can't run an SBOM-only scan without including a valid artifact. See the list of supported artifacts for Veracode Static Analysis.