Scanning an SBOM with upload scanning
Prerequisites
-
SBOM file names must be in one of the following formats:
- CycloneDX (CDX) format with file name ending in
bom.json
- Software Package Data Exchange (SPDX) format with file name ending in
spdx.json
- CycloneDX (CDX) format with file name ending in
-
Supported SBOM versions:
Scanning an SBOM with an application
The SCA upload scan process automatically includes SBOM results alongside those generated from uploaded lock files.
Scanning SBOM files only
To perform an SBOM-only scan, include a valid, supported artifact that Veracode Static Analysis can scan alongside your SBOM files. Zip the SBOM file and the artifact together into a single file, and then upload it for scanning. This is required due to the tight integration between SCA upload scanning and static scanning.
Important
You can't run an SBOM-only scan without including a valid artifact. See the list of supported artifacts for Veracode Static Analysis.