SBOM Scan REST API
The SBOM Scan API can parse an SBOM to find vulnerabilities.
Permissions
Before you can use all endpoints of this API, you must have one of the following accounts with the required roles:
- An API user account with the Results API role.
- A UI user account with the Administrator, Executive, Reviewer, Sandbox User, Security Insights, or Security Lead role.
Authentication
This API requires secure authentication to Veracode.
Supported formats
The SBOM Scan API can scan SBOMs in the following formats:
- CycloneDX v1.2, v1.3, v1.4, and v1.5 (JSON)
- SPDX v2.2 and v2.3 (JSON)
Using the SBOM Scan API
To get vulnerabilities of an uploaded SBOM file, send one of the following requests:
curl --location 'https://api.veracode.com/srcclr/sbom/v1/manage/scan' --header 'Authorization: {HMAC-TOKEN}' --form 'sbom-file=@"{FILE-LOCATION}"'
http --auth-type=veracode_hmac -f POST 'https://api.veracode.com/srcclr/sbom/v1/manage/scan' sbom-file@{FILE_LOCATION}
SBOM Scan API specification
Specifications for the SBOM Scan API are available on SwaggerHub.