SBOM Scan REST API

The SBOM Scan API can parse an SBOM to find vulnerabilities.

Permissions and authentication

Before you can use the SBOM Scan API, you must have one of these account types:

An API service account with the Results API role.
A user account with the Administrator, Executive, Reviewer, Sandbox User, Security Insights, or Security Lead role.

This API uses API ID/key credentials and HMAC authentication to provide improved security. Before you can send requests, you must complete these configurations:

Ensure you access the APIs with the domain for your region.

Supported formats

The SBOM Scan API can scan SBOMs in the following formats:

CycloneDX v1.2, v1.3, v1.4, and v1.5 (JSON)
SPDX v2.2 and v2.3 (JSON)

Using the SBOM Scan API

Use this request to get vulnerabilities of an uploaded SBOM file:

curl --location 'https://api.veracode.com/srcclr/sbom/v1/manage/scan' --header 'Authorization: {HMAC-TOKEN}' --form 'sbom-file=@"{FILE-LOCATION}"'

SBOM Scan API specification

Specifications for the SBOM Scan API are available on SwaggerHub.

Permissions and authentication​

Supported formats​

Using the SBOM Scan API​

SBOM Scan API specification​

Did you find this helpful?

Permissions and authentication

Supported formats

Using the SBOM Scan API

SBOM Scan API specification