Ctrlk
Changelog NotificationsAPIAikido login

Generate SBOM Based on Open-Source Packages

Aikido allows you to export both SBOMs (Software Bill of Materials) and VEX (Vulnerability Exploitability eXchange) files—giving you visibility into your software components (including open-source components), helping you prioritize what actually needs fixing.

Use Cases:

  • SBOM Export (CycloneDX 1.6 , SPDX-2.3 or CSV)

    • Share with third-parties during M&A, procurement, or audits (e.g., ISO 27001, SOC2).

    • Regulatory compliance with regulations like the Cyber Resilience Act (CRA), Medical Device Regulation (MDR) or Executive Order 14028.

    • Feed into third-party risk or procurement tools.

  • VEX Export (CycloneDX only)

    • Clearly flag which vulnerabilities are exploitable and which are not applicable.

    • Attestation of due diligence, a VEX proves to third-parties that you are actively managing kown vulnerabilities.

Where to find the SBOM

Step 1. Go to Reports > Licenses & SBOM

Step 2. Download SPDX, CycloneDX, or CSV SBOM via the top right action

Python package license risks overview with filters and SBOM download option.

Optional. Filter licenses on different parameters and export the SBOM after. The export takes into account the chosen filter values.

Filter menu for searching repositories by license, language, risk, and container options.

If you want to filter on team, you can do this via changing the Team Filter on the top of the page.

Team selection dropdown for viewing Licenses & SBOM reports.

If you have multi-branch scanning enabled, you can get different SBOMs per legacy branch by selecting the specific legacy branch repo in the dropdown. Contact us via in-app chat for more info.

Generate and export via API

Generate and download your SBOM via our Export SBOM API.

Uploading SBOMs generated at build time

Embedded systems built using tools like Buildroot or Yocto can generate the SBOM at build time. Since these systems often lack a standard container registry, you can programmatically upload these self-generated SBOMs to Aikido via the API to maintain security visibility and compliance.

Uploading your SBOM

You can upload your self-generated SBOM via the Upload Container SBOM endpoint.

Once uploaded, navigate to containers. The uploaded SBOM will be listed under the name provided and have registry 'Self-reported SBOM'. Aikido will automatically start scanning the components for known vulnerabilities (CVEs) and license risks.

Last updated

Was this helpful?