Skip to main content


You can use the SCA SBOM Scan API to parse an SBOM in SPDX JSON or CycloneDX JSON format and find vulnerabilities in it.

Permissions and authentication

Before you can use the SBOM Scan API, you must have one of these account types:

  • An API service account with the Results API role.
  • A user account with the Administrator, Executive, Reviewer, Sandbox User, Security Insights, or Security Lead role.

This API uses API ID/key credentials and HMAC authentication to provide improved security. Before you can send requests, you must complete these configurations:

Ensure you access the APIs with the domain for your region.

Using the SBOM Scan API

Use this request to get vulnerabilities of an uploaded SBOM file:

curl --location '' --header 'Authorization: {HMAC-TOKEN}' --form 'sbom-file=@"{FILE-LOCATION}"'

SBOM Scan API specification

Specifications for the SBOM Scan API are available on SwaggerHub.