Multi-engine analysis · CycloneDX · SPDX · Syft

Scan your SBOM with 12 analyses

One upload to normalize the SBOM, check quality, correlate CVEs, prioritize KEV and search every component.

12

analyses

4+

SBOM formats

50 MB

max file size

Free

no signup required

SBOM multi-engine check

Supports CycloneDX JSON/XML, SPDX JSON/tag-value, Syft JSON and common SBOM JSON shapes. Tables are capped for speed.

Keep your scans. Create a free account to save your scan history and results across devices, and use our API to scan from CI and pull results programmatically.

Upload an SBOM. CycloneDX, SPDX or Syft (JSON, XML or tag-value). It is scanned instantly in your browser when offline, or by all engines when the backend is connected. Max 50 MB. No SBOM yet? Generate one at build time, see the Zephyr and Yocto tutorials. New here? Read How SBOM Total works.

Selected file

CycloneDX / SPDX JSON

SBOM sizemax 50 MB

--

Private: scans run on our backend and are saved to your account when signed in. Anonymous scans are unlisted.

CRA readiness

Solid SBOM evidence for your releases

The Cyber Resilience Act expects manufacturers to document vulnerability handling. Spot metadata gaps, prioritize known-exploited CVEs and export evidence - no certification claims, just verifiable facts.

Read the CRA and SBOM guide

NTIA / quality gaps identified and explained

CISA KEV priority on every vulnerability

JSON and CSV exports for release evidence