Multi-engine analysis · CycloneDX · SPDX · Syft
Scan your SBOM with 12 analyses
One upload to normalize the SBOM, check quality, correlate CVEs, prioritize KEV and search every component.
12
analyses
4+
SBOM formats
50 MB
max file size
Free
no signup required
SBOM multi-engine check
Supports CycloneDX JSON/XML, SPDX JSON/tag-value, Syft JSON and common SBOM JSON shapes. Tables are capped for speed.
Keep your scans. Create a free account to save your scan history and results across devices, and use our API to scan from CI and pull results programmatically.
Selected file
CycloneDX / SPDX JSON
--
Private: scans run on our backend and are saved to your account when signed in. Anonymous scans are unlisted.
Engines and intelligence sources
SBOM formats
CycloneDX JSON/XML, SPDX JSON/tag-value, Syft JSON and common SBOM JSON shapes - format auto-detection.
CVE engines
Grype, OSV-Scanner, cve-bin-tool, Trivy, OSV.dev and CISA KEV in a single results grid.
SBOM quality
Scores versions, licenses, suppliers, PURL, CPE and hashes to catch SBOM generation mistakes.
Complete search
Search components, CVEs, licenses, PURL, CPE, suppliers and engine context from one view.
How it works
1 · Drop your SBOM
Drag in a CycloneDX, SPDX or Syft file. Format and spec version are detected automatically.
2 · Multi-engine analysis
Inventory, quality score, CVE correlation and KEV priority computed in parallel, multi-engine grid style.
3 · Decide with confidence
Verdict, actionable gaps, per-dependency posture and JSON/CSV exports for your release evidence.
CRA readiness
Solid SBOM evidence for your releases
The Cyber Resilience Act expects manufacturers to document vulnerability handling. Spot metadata gaps, prioritize known-exploited CVEs and export evidence - no certification claims, just verifiable facts.
Read the CRA and SBOM guideNTIA / quality gaps identified and explained
CISA KEV priority on every vulnerability
JSON and CSV exports for release evidence