API quickstart

Scan SBOMs from CI

The API lets you scan SBOMs straight from your pipeline and pull results programmatically. Create a token, POST an SBOM, gate your build on the verdict. Three steps, no SDK required.

In the examples below, $API is a placeholder. Set it to your deployment URL, for example https://your-deployment.example.com.

  1. Step 1

    Create an API token

    Go to your account page and create an API token. The secret is shown once, so copy it then. Tokens start with the prefix sct_.

  2. Step 2

    Scan an SBOM

    POST your SBOM file with your token as a Bearer credential:

    curl -X POST "$API/api/v1/scan-sbom" \
      -H "Authorization: Bearer $SBOM_CHECKER_TOKEN" \
      -F "file=@sbom.cdx.json"

    The response is JSON and includes a hash that identifies the stored scan, along with the verdict and findings.

  3. Step 3

    Fetch a stored result later

    Retrieve a previous scan by its hash at any time:

    curl "$API/api/v1/scan/<hash>"

    Results addressed by hash are unlisted but not secret: anyone with the hash can read that result, so treat the hash as you would an unlisted link.

CI example

GitHub Actions

Store your token as the repository secret SBOM_CHECKER_TOKEN. This job scans the SBOM, reads the verdict field with jq, and fails on anything other than a clean verdict. It needs nothing beyond curl and jq, both preinstalled on the runner.

name: SBOM scan
on: [push]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Scan SBOM and gate on verdict
        env:
          API: https://your-deployment.example.com
          SBOM_CHECKER_TOKEN: ${{ secrets.SBOM_CHECKER_TOKEN }}
        run: |
          verdict=$(curl -sf -X POST "$API/api/v1/scan-sbom" \
            -H "Authorization: Bearer $SBOM_CHECKER_TOKEN" \
            -F "file=@sbom.cdx.json" | jq -r '.verdict')
          echo "Verdict: $verdict"
          if [ "$verdict" != "clean" ]; then
            echo "Non-clean verdict, failing the job."
            exit 1
          fi

Token scope

An API token authenticates scans and saves them to your account. It cannot manage your account: it will not change your settings, read your email or delete your data. Use the account page for that.

Full reference

Interactive API reference

Every endpoint, parameter and schema is documented in the interactive Swagger UI.

Open the API docs