Scanning an SBOM with upload scanning

Prerequisites

SBOM file names must be in one of the following formats:
- CycloneDX (CDX) format with file name ending in bom.json
- Software Package Data Exchange (SPDX) format with file name ending in spdx.json
Supported SBOM versions:
- CycloneDX: v1.6 and lower
- SPDX: v2.3 and lower

Scanning an SBOM with an application

The SCA upload scan process automatically includes SBOM results alongside those generated from uploaded lock files.

Scanning SBOM files only

To perform an SBOM-only scan, include a binary file that Veracode Static Analysis can scan alongside your SBOM files. This is necessary due to the tight integration between SCA upload scanning and static scanning.

Important

An SBOM-only scan cannot be executed without including a scannable binary file.

Prerequisites​

Scanning an SBOM with an application​

Scanning SBOM files only​

Did you find this helpful?

Prerequisites

Scanning an SBOM with an application

Scanning SBOM files only