PodArmor docs
Getting started

Download an SBOM

Software Bills of Materials for every published image, in SPDX 2.3 and CycloneDX 1.5.

Each PodArmor image-version ships with a Software Bill of Materials (SBOM) in two industry-standard formats:

  • SPDX 2.3 — the Linux Foundation's standard; widely required for federal procurement and most enterprise security questionnaires
  • CycloneDX 1.5 — the OWASP standard; popular in tooling that integrates with dependency-vulnerability data

Both are generated by syft at the same scan that produces the CVE data, so they're guaranteed bit-exact to what the scanner saw.

From the portal

On any image's detail page, the SBOM tab has download buttons for both formats. The downloaded file is exactly what syft emitted, with no re-serialisation, so checksums match third-party verification.

From the API

Programmatic access — useful for CI pipelines that need to attach an SBOM to a release artifact:

GET /api/docker-images/:imageId/versions/:versionId/sbom/spdx
GET /api/docker-images/:imageId/versions/:versionId/sbom/cyclonedx

Both endpoints return the file with the right Content-Type + filename so curl -OJ saves it correctly.

# Replace IMAGE_ID and VERSION_ID with values from the portal URL.
curl -OJ \
  -H "Authorization: Bearer $PODARMOR_TOKEN" \
  -H "X-Tenant: <your-subdomain>" \
  https://<your-subdomain>.app.podarmor.dev/api/docker-images/$IMAGE_ID/versions/$VERSION_ID/sbom/spdx

What's inside

A typical PodArmor SBOM has:

  • Packages — OS packages (apt), language deps (Maven JARs, npm modules, Go modules), and the binaries we built from source
  • Versions — exact versions for everything found in the image, with checksums where available
  • Relationships — which package depends on which (full transitive graph)
  • License info — SPDX license identifiers for each package
  • Tool metadata — which syft version produced the SBOM and against which image digest

This is the same surface a procurement reviewer parses programmatically when running their own SBOM-validation tools (Dependency-Track, Anchore Enterprise, etc.).

On this page