Import, manage, and share every SBOM — with proof your regulators, customers, and board can trust.
Bring in SBOMs from any source or format, govern your whole software estate in one prioritized inventory, and hand customers a live, audit-logged SBOM in one click — across 16 ecosystems, with the framework coverage regulated institutions are required to demonstrate.
Built for banking, insurance, medical-device, and critical-infrastructure teams.
- NTIA minimum elements
- EO 14028 / OMB M-22-18
- EU Cyber Resilience Act
- FDA premarket cybersecurity
- PCI DSS 4.0 / ISO 27001:2022
16
Ecosystems
8
Frameworks
SOC 2
Type I
Built for regulated industries
Import. Manage. Share.
The whole lifecycle of a software bill of materials, in three moves — from the first import to a customer opening a live, branded share link.
- More on Import →AcceptsliveSPDXCycloneDXSWID
- Git repository
- Container image
- Lockfile
- File upload
- More on Manage →One inventorylive
- Products24
- Components8,412
- Prioritized risks17
Access-logged by default
Every view and download recorded with timestamp and IP — SOC 2 evidence captured, not reconstructed after the fact.
Encrypted end to end
AES-256 at rest, TLS 1.3 in transit. Enterprise customers can bring their own key with KMS / HSM.
Independently audited
A SOC 2 Type II audit is in progress with Schellman, a leading independent assessor.
Standards-native
CycloneDX, SPDX, and SWID across 16 ecosystems — open formats in, open formats out, no proprietary lock-in.
And the depth underneath it.
Import, manage, and share is the spine. Everything below makes it audit-grade — one system of record for software supply-chain risk.
01
Generate from source or image
Point at a Git repository, a lockfile, or a container image — including private registries (ECR, GCR, ACR, Harbor, Quay, Nexus) — and we resolve the full dependency graph across 16 ecosystems plus OS packages, emitting a CycloneDX or SPDX SBOM with integrity hashes.
02
Automated remediation
One click opens a pull request on GitHub or GitLab that bumps a vulnerable dependency to its fix version, with the resolved CVEs documented in the PR.
03
VaultScore prioritization
AI-weighted risk scoring that folds in EPSS exploit probability, CISA KEV status, and import-level reachability so teams remediate what actually matters.
04
Supply-chain defense
Flags known-malicious packages and typosquats the moment they enter a scan — the attacks that CVE feeds alone do not surface.
05
AI supply chain security
Discovers the third-party AI your software pulls in — hosted LLM SDKs, Model Context Protocol (MCP) servers, agent frameworks, vector stores and models — across dependencies and source/config, with a CycloneDX AIBOM and an allow/deny governance policy.
06
Package firewall
A curation gate that blocks known-malicious packages, typosquats, CISA-KEV and critical CVEs — as an inventory view and a CI gate that fails the build (HTTP 422) on a blocked package.
07
Pipeline security posture
Scores the SCM/CI posture of your connected GitHub and GitLab repositories (incl. self-hosted) — branch protection, required reviews, force-push, pipeline gates, Actions token scope, secret scanning and Dependabot — with the exact misconfiguration and its fix.
08
Trust portal & exchange
Issue tokenized, time-limited SBOM share links, or exchange organization-to-organization with domain-verified counterparties that survive staff turnover.
09
Continuous compliance
Framework dashboards for NTIA, EU CRA, FDA, DoD, EO 14028, PCI DSS 4.0, and ISO 27001:2022 — plus a Cryptographic Bill of Materials (CBOM) post-quantum readiness check, one-click attestation exports, and an Ed25519-signed, tamper-evident, ten-year audit log.
10
Vendor SBOM governance
A managed intake portal and third-party risk register that consolidate supplier SBOMs — and ingest their OpenVEX and CSAF VEX statements — into a single, searchable inventory of your software estate.
11
Developer API & CI
A documented REST API with scoped, rate-limited keys, a published OpenAPI 3.1 spec, and CI actions that fail the build on policy breaches.
Hand customers a live SBOM — not a stale zip file.
Your enterprise customers and their procurement teams are already asking for SBOMs. SBOMVault turns that obligation into a polished, audit-logged experience: issue a secure link that always points to your latest build, and watch exactly who opened it.
- Branded, read-only customer view — your logo, your colors, not a third-party tool.
- Tokenized links that expire on your terms — no SBOMs lingering in customer inboxes for years.
- Every view, download, and IP captured in an exportable access log — SOC 2 evidence by default.
- Or exchange organization-to-organization with domain-verified counterparties that survive staff turnover.
Acme Product · v3.2.1
Shared by acme.com · expires in 14 days
Components
247
Active CVEs
3
Licenses
12
A live Trust Portal page, branded to your organization.
Depth where legacy tools stop short.
| Capability | SBOMVault | Lineaje | Anchore | Snyk |
|---|---|---|---|---|
| Generate from source (16 ecosystems) | ✓ | Partial | ✓ | ✓ |
| Native container image scan (+ private registries) | ✓ | — | ✓ | ✓ |
| CBOM / post-quantum readiness (CNSA 2.0) | ✓ | — | — | — |
| Automated fix PRs (GitHub + GitLab) | ✓ | — | — | ✓ |
| SBOM quality score | ✓ | — | Partial | — |
| Malicious / typosquat detection | ✓ | Partial | — | Partial |
| AI supply-chain discovery (LLM SDKs, MCP servers) | ✓ | Partial | — | — |
| AIBOM generation (CycloneDX) | ✓ | Partial | — | — |
| Software pipeline security posture (SCM/CI) | ✓ | — | — | — |
| Package firewall / curation gate (CI) | ✓ | — | — | Partial |
| Dynamic RBOM / agentless runtime analysis | ✓ | — | — | — |
| Function-level (symbol) reachability | ✓ | — | — | Partial |
| Binary analysis (deps in compiled artifacts) | ✓ | — | Partial | Partial |
| Runtime BOM / runtime-usage correlation | ✓ | — | — | — |
| Continuous monitoring (newly-disclosed CVEs, EOL, drift) | ✓ | Partial | Partial | Partial |
| End-of-life (EOL) runtime/OS tracking | ✓ | — | — | — |
| VaultScore prioritization | ✓ | Partial | — | Partial |
| AI assistant | ✓ | — | — | — |
| Trust portal (customer sharing) | ✓ | — | — | — |
| Redaction / controlled partial sharing (org-enforced) | ✓ | Partial | — | — |
| Org-to-org SBOM exchange (verified) | ✓ | — | — | — |
| CycloneDX 1.6 / SPDX 3.0 / SWID | ✓ | Partial | Partial | — |
| Vendor SBOM intake portal | ✓ | — | — | — |
| EU CRA conformity workflow | ✓ | Partial | — | — |
| Ed25519-signed 10-year tamper-evident audit log | ✓ | — | — | — |
Transparent plans. No procurement theater.
Starter
Free
For individuals and small teams establishing an SBOM program.
- 10 SBOMs
- 3 products
- 3 users
- REST API (3 keys)
- NTIA compliance check
- Community support
Growth
Recommended$299
per month, or $249/mo billed annually
For growing teams that need full compliance coverage and integrations.
- 500 SBOMs (+packs)
- 50 products (+packs)
- 15 users (+seat packs)
- GitHub + Slack + GitLab
- All compliance frameworks
- TPRM + custom policies
- SSO add-on (SAML/OIDC)
Enterprise
$1,499
per month, billed annually · or $1,799/mo monthly
High-volume capacity sized to your contract, with the controls regulated institutions require.
- Capacity sized to your contract
- SSO + SCIM provisioning
- BYOK + KMS / HSM
- ABAC + dual-approval
- Vendor intake at any scale
- On-prem / private cloud
- 10-year audit log + SLA
Frequently asked questions
What is an SBOM?+
A Software Bill of Materials is a machine-readable inventory of every component and dependency inside a piece of software — the basis for the disclosure now required by EO 14028, NTIA, FDA, and the EU Cyber Resilience Act.
How do I generate my first SBOM?+
Connect a Git repository and we generate a CycloneDX or SPDX SBOM in seconds, or upload an existing one — we import SPDX (JSON, YAML, Tag-Value, RDF/XML, including 3.0), CycloneDX (JSON, XML, Protobuf), and SWID tags. No lockfile is required to start.
Is my SBOM data secure?+
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). A SOC 2 Type II audit is in progress with Schellman. Enterprise customers may bring their own encryption key and deploy on-premises.
Which compliance frameworks are supported?+
NTIA Minimum Elements, EU Cyber Resilience Act, FDA premarket cybersecurity, DoD requirements, EO 14028, PCI DSS 4.0, ISO 27001:2022, and a Cryptographic Bill of Materials (CBOM) / post-quantum readiness check — plus custom frameworks, with new frameworks shipped within 60 days of final-rule publication.
Can I share SBOMs with customers and regulators?+
Yes — tokenized, time-limited links with a full access audit trail, or organization-to-organization exchange to a domain-verified counterparty that imports the SBOM directly into their own tenant.
Bring institutional rigor to your software supply chain.
Stand up an audit-ready SBOM program in an afternoon — and show your regulators, customers, and board exactly what you ship.