Scanning an SBOM with upload scanning

Prerequisites

SBOM file names must be in one of the following formats:
- CycloneDX (CDX) format with file name ending in bom.json
- Software Package Data Exchange (SPDX) format with file name ending in spdx.json
Supported SBOM versions:
- CycloneDX: v1.6 and lower
- SPDX: v2.3 and lower

Scanning an SBOM with an application

Veracode SCA upload scan results, available in the Veracode Platform, combine uploaded SBOMs with other dependency information, such as lock files.

Scanning SBOM files only

To perform an SBOM-only scan, include a valid, supported artifact that Veracode Static Analysis can scan alongside your SBOM files. Zip the SBOM file and the artifact together into a single file, and then upload it for scanning. This is required due to the tight integration between SCA upload scanning and static scanning.

Important

You can't run an SBOM-only scan without including a valid artifact. See the list of supported artifacts for Veracode Static Analysis.

Prerequisites​

Scanning an SBOM with an application​

Scanning SBOM files only​

Did you find this helpful?

Prerequisites

Scanning an SBOM with an application

Scanning SBOM files only