Enable the OSV plugin in your workspace plugin settings. It is available on all plans. Once enabled, SBOMs are scanned automatically on upload and periodically re-scanned. Dependency Track is available on Business and Enterprise plans.
Walkthrough
How to enable
Vulnerability scanning is implemented as a plugin. To enable it:
- Navigate to your workspace Settings
- Go to the Plugins section
- Enable the OSV plugin (and/or Dependency Track if on a Business plan or above)
Once enabled, any SBOM you upload is automatically scanned for known vulnerabilities. When you enable the plugin, recent SBOMs are also retroactively scanned.
Re-scan frequency
sbomify periodically re-scans your SBOMs as vulnerability databases are updated. The frequency depends on your plan:
- Community (free) - weekly re-scans
- Business / Enterprise - daily re-scans
Scanning providers
Google OSV (all plans)
Google OSV is available on every plan, including the free Community tier. It provides precise, distributed vulnerability intelligence across a wide range of ecosystems. Supports CycloneDX and SPDX 2.x formats.
Dependency Track (Business+)
OWASP Dependency Track integration is available on Business plans and above for continuous component analysis. Dependency Track only supports CycloneDX format. Enterprise customers can connect their own Dependency Track instance for unified visibility across their existing security tooling.