docs
  1. Storefront Hosting
  2. Security
  3. Software Bills Of Materials (sbom)

Software Bills of Materials (SBOM)

Every successful storefront build automatically produces a Software Bill of Materials (SBOM), a machine-readable inventory of every component and dependency that ends up in your deployed application. You can download this SBOM from the Admin Panel and feed it into your own security tooling to scan for known vulnerabilities, audit licenses, and meet your compliance requirements.

What is an SBOM?

An SBOM is a complete, structured list of the software components contained in a build. Think of it as an "ingredients label" for your storefront. For each component, it records:

  • The name and version (e.g. [email protected], [email protected])
  • The package type and origin: npm packages, operating-system packages, etc., identified by a Package URL (purl)
  • License information, where available

SCAYLE generates the SBOM in the CycloneDX format as JSON. CycloneDX is a widely adopted, open SBOM standard supported by virtually every modern security scanner, so the file you download works out of the box with the tools you already use.

The SBOM covers the entire deployed image, not just your application's direct dependencies, but also transitive dependencies and the operating-system packages in the base image. This gives you a full picture of what is actually running in production.

The SBOM is generated once, at build time, and describes exactly the dependencies present in that specific build. Each build has its own SBOM. To inspect a different deployment, download the SBOM from that deployment's build.

Why download it?

The SBOM enables self-service security scanning: you stay in control of which scanner you use, which vulnerability databases it checks against, and when you run the scan. Common use cases:

  • Vulnerability scanning: detect known CVEs in your dependencies using your preferred scanner.
  • Continuous monitoring: feed the SBOM into a platform like OWASP Dependency-Track to be alerted when a new vulnerability is later disclosed for a component you already shipped.
  • License & compliance auditing: review the licenses of every bundled component.
  • Supply-chain records: keep an auditable inventory of what was deployed, and when.

Prerequisites

Before you can download an SBOM:

  • The build must have succeeded. The download option is only available for successful builds. Failed or in-progress builds have no SBOM.
  • Your user must have the View builds (storefront-platform__builds__read) permission. Without it, the download button is disabled.

How to download the SBOM

  1. In the Admin Panel, open Deployments and select the deployment you want to inspect to open its Deployment Details page.
  2. In the General Information card at the top of the page, locate the Download SBOM button in the card header (next to the deployment status).
  3. Click Download SBOM.

Your browser downloads the file as:

{buildId} is the identifier of the build behind that deployment.

Don't see the button, or is it disabled?

  • If the button is missing, the build for this deployment did not succeed, so there is no SBOM to download.
  • If the button is disabled with a permission tooltip, your account is missing the Builds Read permission. Ask an administrator of your organization to grant it.

File format and example

The downloaded file is a CycloneDX JSON document. The exact CycloneDX specification version is recorded in the file's specVersion field. A typical document looks like this (abbreviated):

Key fields:

FieldMeaning
specVersionThe CycloneDX specification version of this document.
metadata.componentThe image the SBOM describes.
components[]One entry per dependency / package found in the image.
purlThe Package URL, the canonical identifier scanners use to look up vulnerabilities.
licensesThe component's license(s), where detected.

Self-service security scanning

Because the file is standard CycloneDX JSON, you can scan it with any tool that understands the format. Below are worked examples with three popular, free tools. In each, replace sbom-{buildId}.json with the actual name of the file you downloaded.

Trivy

Trivy is an open-source scanner from Aqua Security. It can scan a CycloneDX SBOM directly and report known vulnerabilities:

Example output:

To produce machine-readable output (for CI pipelines), use the --format flag, e.g. --format json or --format sarif.

Grype

Grype is an open-source scanner from Anchore. Point it at the SBOM file using the sbom: scheme:

Example output:

OWASP Dependency-Track (continuous monitoring)

OWASP Dependency-Track is a platform for continuously monitoring SBOMs. Unlike a one-off scan, it re-evaluates your uploaded SBOMs whenever new vulnerabilities are published, so you find out about a newly disclosed CVE ("Common Vulnerabilities and Exposures") in a component you shipped weeks ago.

  1. In Dependency-Track, create a project for your storefront (or select an existing one).
  2. Go to the project's Components tab and choose Upload BOM.
  3. Select the sbom-{buildId}.json file you downloaded and upload it.

Dependency-Track ingests the CycloneDX file and continuously matches its components against vulnerability intelligence sources, surfacing findings in its dashboard.

Keep your scanner's database fresh. A vulnerability scan is only as current as the vulnerability database behind it. Tools like Trivy and Grype download/update their databases automatically on each run; for an air-gapped or pinned setup, make sure you refresh the database regularly so you don't miss newly disclosed CVEs.

Next up
Script Governance