Cybersecurity

SBOM Checker

Dependency vulnerability scanner

Check your software dependencies for known vulnerabilities. Upload SBOM files, package manifests, or use our API for automated supply chain security.

Check DependenciesAPI Documentation
10+
SBOM Formats
200K+
CVEs Tracked
All
Major Ecosystems
CI/CD
Integration

Key Features

Everything you need to protect your infrastructure and users

SBOM Analysis

Upload SPDX or CycloneDX files for vulnerability analysis.

Package Scanning

Support for npm, pip, Maven, NuGet, and more.

Transitive Dependencies

Analyze nested dependencies throughout your tree.

CVE Matching

Accurate vulnerability matching using CPE and package DBs.

Fix Recommendations

Get specific version upgrade recommendations.

CI/CD Integration

Fail builds when critical vulnerabilities are found.

Use Cases

How security teams use this tool

Development Teams

Check dependencies before deploying to production.

Security Teams

Audit third-party components in your applications.

DevSecOps

Integrate security checks into CI/CD pipelines.

Compliance

Meet software supply chain security requirements.

Understanding Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) is a comprehensive inventory of all components, libraries, and dependencies that make up a software application. Like an ingredient list for food products, SBOMs provide transparency into what's actually running in your systems. Modern applications rely on hundreds or thousands of open-source packages, each potentially containing vulnerabilities. The SolarWinds and Log4j incidents demonstrated how supply chain vulnerabilities can have devastating consequences. SBOM analysis is now essential for software security.

How SBOM Vulnerability Checking Works

Our SBOM checker analyzes your software dependencies to identify known vulnerabilities: 1. **Parse SBOM/Manifest**: We support SPDX, CycloneDX, and common package formats (package.json, requirements.txt, Gemfile.lock, pom.xml, etc.) 2. **Resolve Dependencies**: We build a complete dependency tree including transitive (nested) dependencies that your direct packages rely on. 3. **Match Against CVEs**: Each package version is matched against vulnerability databases including NVD, OSV.dev, and vendor advisories. 4. **Prioritize Findings**: Results are sorted by severity and exploitability to highlight the most critical issues. 5. **Recommend Fixes**: We identify the minimum version upgrade needed to resolve each vulnerability.

The Hidden Risk of Transitive Dependencies

Direct dependencies are only part of the picture. A typical Node.js application might have 50 direct dependencies but over 1,000 transitive dependencies. The infamous Log4j vulnerability (CVE-2021-44228) affected countless applications that didn't directly use Log4j but included it through other packages. Our SBOM checker analyzes the entire dependency tree to find vulnerabilities at any depth. You might be surprised to discover vulnerable packages you didn't know your application included.

Integrating SBOM Checks into CI/CD Pipelines

The best time to catch vulnerable dependencies is before deployment. Our API and CLI tools enable: - **Build-Time Checks**: Fail builds when critical vulnerabilities are detected - **Pull Request Comments**: Automatic vulnerability reports on dependency changes - **Baseline Management**: Track and acknowledge known vulnerabilities - **Policy Enforcement**: Define acceptable risk thresholds by severity - **Compliance Reporting**: Generate reports for auditors showing dependency analysis Shift-left security means catching vulnerabilities during development, not in production.

Meeting Software Supply Chain Security Requirements

Regulatory and industry requirements increasingly mandate software supply chain security: - **Executive Order 14028**: Requires SBOMs for software sold to the U.S. federal government - **PCI DSS 4.0**: Requires inventory of bespoke and custom software - **FDA Cybersecurity Requirements**: Mandates SBOMs for medical device software - **EU Cyber Resilience Act**: Will require vulnerability handling for products in the EU market Our SBOM checker helps organizations meet these requirements by providing comprehensive dependency analysis and vulnerability documentation.

Frequently Asked Questions

What SBOM formats do you support?
We support SPDX, CycloneDX, and common package formats like package.json, requirements.txt, Gemfile.lock, and more.
How do you identify vulnerabilities?
We map your dependencies to CVEs using CPE matching and package vulnerability databases from NVD, OSV, and vendor advisories.
Can I integrate this into my CI/CD pipeline?
Yes, our API and CLI tools allow you to check dependencies as part of your build process.
Do you detect transitive dependencies?
Yes, we analyze both direct and transitive (nested) dependencies to find vulnerabilities throughout your dependency tree.

Related Tools

CVE Search

Search CVE database

Vulnerability Scanner

Infrastructure scanning

Tech Stack

Technology detection

Related Articles

Learn more from our security research blog

Supply Chain Attack Detection
Blog Post

Supply Chain Attack Detection

Comprehensive guide to software supply chain security.

Read more
Zero-Day Vulnerability Threat Response
Blog Post

Zero-Day Vulnerability Threat Response

Responding to critical vulnerabilities in dependencies.

Read more
Building a SOC with Threat Intelligence
Blog Post

Building a SOC with Threat Intelligence

Integrating dependency scanning into security operations.

Read more

Ready to Get Started?

Join thousands of security teams using isMalicious to protect their infrastructure.

Start Free TrialContact Sales