Tools: SBOM and vulnerability management

This chapter covers the tools that automatically identify the open source in your product (SBOM), manage it, and find and respond to vulnerabilities. It follows the three-step flow below.

The flow

1. SBOM creation — Create a bill of materials (SBOM) that captures which open source is included in your product. The tools are syft and cdxgen. Go to SBOM creation.
2. SBOM management — Update and store the SBOM you created, and share it across your supply chain. Go to SBOM management.
3. Vulnerability analysis and response — Use the SBOM to find and respond to known vulnerabilities (CVEs). The tools are the OSV API and Dependency-Track. Go to Vulnerability management.

Try it right away (no install, no API key)

See SBOM analysis results right in your browser first, with no installation.

• SBOM analyzer sample experience

Automatic generation with AI agents

The outputs of each step can be generated automatically with AI agents. For the full mapping, see Create outputs with AI agents.

• SBOM creation: 05-sbom-guide, 05-sbom-analyst
• SBOM management: 05-sbom-management
• Vulnerability analysis: 05-vulnerability-analyst

Extend to automation

The SBOM creation and vulnerability scanning you learn here can be wired into your CI pipeline for continuous automation. The DevSecOps guide provides workflows you can copy and use.