sbomify logo

Integrations

Seamlessly integrate SBOM generation, analysis, and enrichment into your existing workflow.

CI/CD & Generation

Generate SBOMs automatically in your pipelines. We support all major CI/CD providers.

GitHub
View on Marketplace →

GitHub is at the core of many organizations. Our GitHub Action makes integration straightforward. 

- name: Upload SBOM
  uses: sbomify/github-action@master
  env:
    TOKEN: $
    COMPONENT_ID: 'my-component-id'
    LOCK_FILE: 'requirements.txt'
    COMPONENT_NAME: 'my-awesome-app'
    COMPONENT_VERSION: $
    AUGMENT: true
    ENRICH: true
GitLab View Pipeline →

For GitLab users, we provide a dedicated pipeline template. 

generate-sbom:
  image: sbomifyhub/sbomify-action
  variables:
    TOKEN: $SBOMIFY_TOKEN
    COMPONENT_ID: 'Your Component ID'
    UPLOAD: "true"
    AUGMENT: "true"
    ENRICH: "true"
    COMPONENT_NAME: 'my-python-app'
    COMPONENT_VERSION: $CI_COMMIT_SHA
    LOCK_FILE: 'poetry.lock'
    OUTPUT_FILE: 'sbom.cdx.json'
  script:
    - sbomify-action
Bitbucket View Pipe →

Seamlessly integrate with Bitbucket Pipelines using our official pipe. 

- step:
    name: Build SBOM
    script:
      - pipe: docker://sbomifyhub/sbomify-action:latest
        variables:
          TOKEN: $SBOMIFY_TOKEN
          COMPONENT_ID: "Your Component ID"
          UPLOAD: "true"
          AUGMENT: "true"
          ENRICH: "true"
          COMPONENT_NAME: "my-python-app"
          COMPONENT_VERSION: $BITBUCKET_COMMIT
          LOCK_FILE: "poetry.lock"
          OUTPUT_FILE: "bitbucket-sbom.cdx.json"
Docker Universal Support

For any other CI/CD system, you can use our Docker image directly. 

docker run --rm \
  -v $(pwd):/code \
  -e TOKEN=<my token> \
  -e COMPONENT_ID=<my component id> \
  -e LOCK_FILE=/code/requirements.txt \
  -e OUTPUT_FILE=/code/sbom.cdx.json \
  -e COMPONENT_NAME=my-app \
  -e ENRICH=true \
  sbomifyhub/sbomify-action

Vulnerability Analysis

Comprehensive scanning powered by industry-leading databases.

Google OSV

Google OSV

We integrate with the Open Source Vulnerability (OSV) database to provide precise, distributed vulnerability intelligence across a wide range of ecosystems.

Dependency Track

Dependency Track

Leverage the power of OWASP Dependency-Track for continuous component analysis.

Enterprise

Bring Your Own: Enterprise customers can connect their existing Dependency Track instance for unified visibility.

Enrichment Data Sources

We integrate with 11 data sources to add metadata to your SBOM components: descriptions, licenses, supplier information, and more.

Pre-computed Databases (Fastest)

Local data with zero network latency. Checked first for maximum performance.

LicenseDB

Pre-computed license database covering 28 Linux distro versions. Provides authoritative license data for APK, DEB, and RPM packages.

pkg:apk/* pkg:deb/* pkg:rpm/*

Lifecycle Database

CLE lifecycle dates (release, end-of-support, end-of-life) for major runtimes and frameworks following ECMA-428.

Python PHP Go Rust Django Rails +more

Native Package Registries

Authoritative data direct from the ecosystem's official source.

PyPI

Python Package Index

pkg:pypi/*

crates.io

Rust Package Registry

pkg:cargo/*

pub.dev

Dart/Flutter Packages

pkg:pub/*

Debian Sources

Debian Package Archive

pkg:deb/debian/*

Package Aggregators

Multi-ecosystem services providing broad coverage.

deps.dev

Google

Open source dependency insights from Google. Covers most major ecosystems.

Ecosyste.ms

Community-driven package metadata and project health metrics across ecosystems.

Fallback Sources

Additional coverage when primary sources do not have data.

PURL Extraction

Local extraction from package URLs. Maps namespaces to suppliers without API calls.

ClearlyDefined

Community-curated license and metadata for open source components.

Repology

Cross-distribution package tracking for Linux packages.

How it works: Enrichment happens automatically when using our GitHub Action or CLI with the enrich flag.

ENRICH=true or --enrich

Augmentation Providers

Add organizational metadata to your SBOM: supplier info, manufacturer details, VCS context, and more.

sbomify API

Pull organizational metadata from your sbomify workspace: supplier, manufacturer, authors, and declared license.

Local Config

Override metadata via sbomify.json in your repository for supplier, authors, license, and VCS info.

CI/CD Auto-Detection

Automatically detects VCS URL, commit SHA, and branch from GitHub Actions, GitLab CI, and Bitbucket Pipelines environment variables.

Fields Added

Supplier, manufacturer, authors, license, lifecycle phase, repository URL, commit SHA, branch/ref.

How it works: Augmentation pulls metadata from sbomify and your CI environment.

AUGMENT=true or --augment