# Generate SBOM Based on Open-Source Packages

Aikido allows you to export both **SBOMs (Software Bill of Materials)** and **VEX (Vulnerability Exploitability eXchange)** files—giving you visibility into your software components (including open-source components), helping you prioritize what actually needs fixing.

**Use Cases:**

* **SBOM Export** (CycloneDX 1.6 , SPDX-2.3 or CSV)
  * Share with third-parties during M\&A, procurement, or audits (e.g., ISO 27001, SOC2).
  * Regulatory compliance with regulations like the Cyber Resilience Act (CRA), Medical Device Regulation (MDR) or Executive Order 14028.
  * Feed into third-party risk or procurement tools.
* **VEX Export** (CycloneDX only)
  * Clearly flag which vulnerabilities are **exploitable** and which are **not applicable**.
  * Attestation of due diligence, a VEX proves to third-parties that you are actively managing kown vulnerabilities.

## Where to find the SBOM <a href="#where-to-find-the-sbom" id="where-to-find-the-sbom"></a>

**Step 1.** Go to Reports > [Licenses & SBOM](https://app.aikido.dev/licenses)

**Step 2.** Download SPDX, CycloneDX, or CSV SBOM via the top right action

![Python package license risks overview with filters and SBOM download option.](/files/OAwgeLzz4usXlr9R4oSZ)

**Optional.** Filter licenses on different parameters and export the SBOM after. The export takes into account the chosen filter values.

![Filter menu for searching repositories by license, language, risk, and container options.](/files/u3kg6IfaOcSYsPXSbVBs)

If you want to filter on team, you can do this via changing the Team Filter on the top of the page.

![Team selection dropdown for viewing Licenses & SBOM reports.](/files/vhYONHhzhOBrLyNXVPGQ)

> If you have multi-branch scanning enabled, you can get different SBOMs per legacy branch by selecting the specific legacy branch repo in the dropdown. Contact us via in-app chat for more info.

### Generate and export via API <a href="#generate-and-export-via-api" id="generate-and-export-via-api"></a>

Generate and download your SBOM via our [Export SBOM API](https://apidocs.aikido.dev/reference/exportcoderepolicenses).

## Uploading SBOMs generated at build time

Embedded systems built using tools like Buildroot or Yocto can generate the SBOM at build time. Since these systems often lack a standard container registry, you can programmatically upload these self-generated SBOMs to Aikido via the API to maintain security visibility and compliance.

### Uploading your SBOM

You can upload your self-generated SBOM via the [Upload Container SBOM endpoint](https://apidocs.aikido.dev/reference/uploadcontainersbom).

Once uploaded, navigate to [containers](https://app.aikido.dev/containers). The uploaded SBOM will be listed under the name provided and have registry '*Self-reported SBOM*'. Aikido will automatically start scanning the components for known vulnerabilities (CVEs) and license risks.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.aikido.dev/code-scanning/miscellaneous/generate-sbom-based-on-open-source-packages.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.