Download an SBOM
Software Bills of Materials for every published image, in SPDX 2.3 and CycloneDX 1.5.
Each PodArmor image-version ships with a Software Bill of Materials (SBOM) in two industry-standard formats:
- SPDX 2.3 — the Linux Foundation's standard; widely required for federal procurement and most enterprise security questionnaires
- CycloneDX 1.5 — the OWASP standard; popular in tooling that integrates with dependency-vulnerability data
Both are generated by syft at the same scan that produces the CVE data, so they're guaranteed bit-exact to what the scanner saw.
From the portal
On any image's detail page, the SBOM tab has download buttons for both formats. The downloaded file is exactly what syft emitted, with no re-serialisation, so checksums match third-party verification.
From the API
Programmatic access — useful for CI pipelines that need to attach an SBOM to a release artifact:
GET /api/docker-images/:imageId/versions/:versionId/sbom/spdx
GET /api/docker-images/:imageId/versions/:versionId/sbom/cyclonedxBoth endpoints return the file with the right Content-Type + filename so curl -OJ saves it correctly.
# Replace IMAGE_ID and VERSION_ID with values from the portal URL.
curl -OJ \
-H "Authorization: Bearer $PODARMOR_TOKEN" \
-H "X-Tenant: <your-subdomain>" \
https://<your-subdomain>.app.podarmor.dev/api/docker-images/$IMAGE_ID/versions/$VERSION_ID/sbom/spdxWhat's inside
A typical PodArmor SBOM has:
- Packages — OS packages (apt), language deps (Maven JARs, npm modules, Go modules), and the binaries we built from source
- Versions — exact versions for everything found in the image, with checksums where available
- Relationships — which package depends on which (full transitive graph)
- License info — SPDX license identifiers for each package
- Tool metadata — which syft version produced the SBOM and against which image digest
This is the same surface a procurement reviewer parses programmatically when running their own SBOM-validation tools (Dependency-Track, Anchore Enterprise, etc.).