SBOM Export
Code Audit assessments can export a Software Bill of Materials as CycloneDX 1.5 or SPDX 2.3 JSON. Use this when a vendor questionnaire, customer security review, procurement process, or supply-chain tool asks for a machine-readable component inventory.
AISafe builds the SBOM from the same dependency inventory shown in the Dependency Risk panel. The exported file is downloaded from the assessment detail page when SBOM export is enabled for your organization.
What the export contains
- package name, ecosystem, and version when codeling can resolve one;
- package URL coordinates where the ecosystem is known;
- dependency scope, such as production or development;
- license, homepage, and description when the manifest or lockfile provides them.
Formats
| Format | Use it for |
|---|---|
| CycloneDX 1.5 | Dependency-Track, OWASP/NTIA-style SBOM workflows, and modern supply-chain security tooling. |
| SPDX 2.3 | Procurement, legal, licensing, and ecosystem workflows that standardize on SPDX. |
Coverage caveats
The SBOM reflects source dependency metadata AISafe can extract from manifests and lockfiles. It is not a runtime attestation and should not be treated as a complete inventory of every component loaded in production.
- Lockfiles provide the strongest version confidence.
- Manifest ranges may not identify the exact installed version.
- Transitive coverage depends on ecosystem and lockfile availability.
- OSV vulnerability enrichment remains visible in the Dependency Risk panel; VEX-enriched SBOM output is not part of this export.