Frequently Asked Questions
Common questions about SBOMs, software supply chain security, and the sbomify platform. Get answers about SBOM formats, compliance requirements, and getting started.
No questions match your search.
What is an SBOM?
An SBOM (Software Bill of Materials) is a machine-readable inventory of all components, libraries, and dependencies that make up a piece of software - like an ingredients list for your code.
Read full answer →Why do I need an SBOM?
You need an SBOM to track what's inside your software, respond quickly to vulnerabilities, meet regulatory requirements like the EU CRA, and build trust with customers and partners.
Read full answer →What SBOM formats does sbomify support?
sbomify supports both CycloneDX and SPDX - the two industry-standard SBOM formats - in JSON representation, with automatic validation against official schemas.
Read full answer →Can I convert between CycloneDX and SPDX?
Not reliably. CycloneDX and SPDX have different data models, so converting between them inevitably loses context. The best approach is to generate natively in the format you need.
Read full answer →Can I combine multiple SBOMs into one?
You can technically merge SBOMs, but it should generally be avoided because you lose the ability to tell where a particular component comes from. Use sbomify's hierarchy to link multiple SBOMs together instead.
Read full answer →Is sbomify free?
Yes - sbomify offers a free Community tier for open-source maintainers and hobby projects. Paid Business and Enterprise plans are available for teams that need private SBOMs and advanced features.
Read full answer →What is the EU Cyber Resilience Act (CRA)?
The EU Cyber Resilience Act (CRA) is a binding EU regulation requiring manufacturers of products with digital elements to provide SBOMs, handle vulnerabilities, and meet cybersecurity requirements throughout the product lifecycle.
Read full answer →How do I generate an SBOM?
The easiest way is with sbomify-action, which generates, enriches, and uploads SBOMs from your lockfiles or Docker images in CI/CD. You can also use standalone tools like Syft or Trivy.
Read full answer →What is a Trust Center?
A Trust Center is a public-facing page where organizations share security artifacts like SBOMs, compliance documents, and attestations with customers and partners - building transparency and trust.
Read full answer →How do I set up a Trust Center in sbomify? Business+
Go to Settings > Trust Center, enable it, and set your custom domain. Trust Center requires a Business plan or higher.
Read full answer →How do I enable the Transparency Exchange API (TEA) in sbomify? Business+
You can enable TEA from your workspace settings. TEA requires a Business plan or higher.
Read full answer →How do I upload compliance documents?
You can upload compliance documents (SOC 2, ISO 27001, CE certificates, etc.) to any project in sbomify by navigating to the project and using the Documents section.
Read full answer →How do I create a software release in sbomify?
Upload your component SBOMs first, then create a product release that points to specific SBOMs. Each SBOM can have its own version and be shared across multiple releases.
Read full answer →How do I delete a workspace?
You can delete a workspace from the workspace settings page. This permanently removes the workspace and all its data, including components, SBOMs, and documents.
Read full answer →How do I delete my account?
You can delete your account from Settings > Account > Delete Your Account. This permanently removes your account and all associated data.
Read full answer →How do I achieve NTIA/CISA minimum elements compliance?
Use sbomify-action's augmentation feature to automatically add required metadata like supplier info, authors, licenses, and lifecycle phase to your SBOMs - either via a local config file or centrally managed profiles in sbomify.
Read full answer →Still have questions?
Our team is here to help you get started with SBOMs and supply chain security.