API quickstart
Scan SBOMs from CI
The API lets you scan SBOMs straight from your pipeline and pull results programmatically. Create a token, POST an SBOM, gate your build on the verdict. Three steps, no SDK required.
In the examples below, $API is a placeholder. Set it to your deployment URL, for example https://your-deployment.example.com.
Step 1
Create an API token
Go to your account page and create an API token. The secret is shown once, so copy it then. Tokens start with the prefix
sct_.Step 2
Scan an SBOM
POST your SBOM file with your token as a Bearer credential:
curl -X POST "$API/api/v1/scan-sbom" \ -H "Authorization: Bearer $SBOM_CHECKER_TOKEN" \ -F "file=@sbom.cdx.json"The response is JSON and includes a
hashthat identifies the stored scan, along with the verdict and findings.Step 3
Fetch a stored result later
Retrieve a previous scan by its hash at any time:
curl "$API/api/v1/scan/<hash>"Results addressed by hash are unlisted but not secret: anyone with the hash can read that result, so treat the hash as you would an unlisted link.
CI example
GitHub Actions
Store your token as the repository secret SBOM_CHECKER_TOKEN. This job scans the SBOM, reads the verdict field with jq, and fails on anything other than a clean verdict. It needs nothing beyond curl and jq, both preinstalled on the runner.
name: SBOM scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan SBOM and gate on verdict
env:
API: https://your-deployment.example.com
SBOM_CHECKER_TOKEN: ${{ secrets.SBOM_CHECKER_TOKEN }}
run: |
verdict=$(curl -sf -X POST "$API/api/v1/scan-sbom" \
-H "Authorization: Bearer $SBOM_CHECKER_TOKEN" \
-F "file=@sbom.cdx.json" | jq -r '.verdict')
echo "Verdict: $verdict"
if [ "$verdict" != "clean" ]; then
echo "Non-clean verdict, failing the job."
exit 1
fiToken scope
An API token authenticates scans and saves them to your account. It cannot manage your account: it will not change your settings, read your email or delete your data. Use the account page for that.
Full reference
Interactive API reference
Every endpoint, parameter and schema is documented in the interactive Swagger UI.
Open the API docs