Curated references
Resources for SBOM and supply chain
The official formats, scanners, vulnerability databases and regulations behind this tool. Every link points to its canonical source.
SBOM formats
Scanners and tools
Syft
Anchore tool that generates SBOMs from images, filesystems and archives.
Grype
Anchore vulnerability scanner that matches components against known CVEs.
OSV-Scanner
Google scanner that checks dependencies against the OSV database.
Trivy
Aqua Security scanner with broad CVE coverage across OS packages and language ecosystems.
cve-bin-tool
Intel tool that finds known-vulnerable components in compiled binaries.
sbomqs
Interlynk tool that scores the quality and completeness of an SBOM.
ntia-conformance-checker
Checks whether an SBOM meets the NTIA minimum elements baseline.
Vulnerability intelligence
OSV.dev
Open-source vulnerability database with an API for querying advisories by package.
NVD
The US National Vulnerability Database, the reference source for CVE records and CVSS scores.
CISA KEV catalog
CISA list of vulnerabilities confirmed to be exploited in the wild.
FIRST EPSS
Exploit Prediction Scoring System estimating the likelihood of exploitation.
Put these tools to work
Upload an SBOM to run all of these engines at once, or read what each of the twelve analyses does.