Skip to main content

SBOM Generation

Generate Software Bill of Materials for compliance and vulnerability management.

Overview

A Software Bill of Materials (SBOM) is a comprehensive inventory of software components in your infrastructure. Infracast generates SBOMs from discovered hosts, enabling compliance with Executive Order 14028 and helping you understand your software supply chain.

Supported Formats

SPDX 2.3

The ISO/IEC 5962:2021 international standard, required for federal software procurement.

  • Industry-standard format
  • Wide tool compatibility
  • Federal compliance ready

CycloneDX 1.5

The OWASP standard designed specifically for security use cases.

  • Rich vulnerability data
  • License compliance
  • Dependency tracking

CSV Export

Simple spreadsheet format for custom analysis.

  • Easy to filter and sort
  • Import into existing tools
  • Quick reporting

What's Included

SBOMs capture software inventory from discovered hosts:

  • Operating System — Name, version, kernel
  • Installed Packages — Package managers (apt, yum, pip, npm, etc.)
  • Running Services — Active software processes
  • Container Images — Docker/OCI image components

Generating SBOMs

Per-Host SBOM

  1. Navigate to Assets → Asset Explorer
  2. Select a host
  3. Click Generate SBOM
  4. Choose format (SPDX, CycloneDX, CSV)
  5. Download the file

Tenant-Wide SBOM

  1. Navigate to Reports → SBOM
  2. Click Generate Tenant SBOM
  3. Choose format and options
  4. Wait for generation (may take several minutes for large environments)
  5. Download when ready

CVE Enrichment

Infracast automatically enriches SBOMs with known vulnerabilities:

  • NVD Integration — CVE data from NIST National Vulnerability Database
  • KEV Tracking — CISA Known Exploited Vulnerabilities catalog
  • EPSS Scores — Exploit Prediction Scoring System percentiles

Vulnerable packages are flagged with:

  • CVE identifiers
  • Severity ratings (CVSS)
  • Exploitation status
  • Recommended versions

Compliance

Executive Order 14028

EO 14028 requires SBOMs for software sold to the federal government. Infracast helps by:

  • Generating compliant SPDX 2.3 format
  • Including required metadata fields
  • Tracking software inventory over time

FedRAMP

Supports FedRAMP inventory requirements with:

  • Automated software discovery
  • Version tracking
  • Vulnerability correlation

CMMC

Aligns with CMMC asset management requirements:

  • Component inventory
  • Configuration management
  • Vulnerability tracking

Best Practices

  1. Generate Regularly — Run SBOM generation weekly or after major deployments
  2. Track Changes — Compare SBOMs over time to identify new or removed software
  3. Prioritize by Risk — Focus remediation on packages with known exploited vulnerabilities
  4. Automate — Use the API to integrate SBOM generation into your CI/CD pipeline

API Access

Generate SBOMs programmatically:

# Generate host SBOM
POST /api/v1/tenants/{id}/sbom/generate
{
  "node_id": "aws:i-1234567890abcdef0",
  "format": "spdx"
}

# Download SBOM
GET /api/v1/tenants/{id}/sbom/{sbom_id}/download

# Application-scoped SBOM
GET /api/v1/tenants/{id}/applications/{appID}/sbom?format=spdx

# Service-level SBOM (rolled up across all member apps)
GET /api/v1/tenants/{id}/services/{serviceID}/sbom?format=cyclonedx

# CVE exposure by business service
GET /api/v1/tenants/{id}/services/{serviceID}/cve-exposure

See the API Reference for full details.

Application-Aware SBOM (Shipped 2026-04-18)

Infrcast extends SBOM beyond per-host inventory to application and business service scopes.

Three Scopes

ScopeAPIUse Case
HostGET /nodes/{nodeID}/sbomHost-level audits, node compliance
ApplicationGET /applications/{appID}/sbomApp security reviews, dev team SBOMs
Business ServiceGET /services/{serviceID}/sbomExecutive reporting, federal software attestation

UI View Modes

The SBOM page exposes three views toggled from the page header:

  • Infrastructure — per-host inventory (original view)
  • Application — packages unified across all resources in a named application
  • Business Service — full service rollup with CVE exposure table

CVE Exposure by Service

GET /api/v1/tenants/{id}/services/{serviceID}/cve-exposure

Returns a prioritized CVE list for the business service, including:

  • Package name and version
  • Affected applications and hosts
  • KEV (Known Exploited Vulnerability) flag
  • EPSS exploit probability score
  • Recommended fix version

No competitor offers service-scoped SBOM — this is a differentiated capability unique to Infracast.