SBOM gives you software supply-chain intelligence. A Software Bill of Materials (SBOM) is a complete, verifiable list of the components that make up your software — including the ones you didn't write. This tab tracks your SBOM coverage, the components themselves, where they came from, and the attestations that prove it.
What you'll see
- SBOM coverage — how much of your estate has a generated bill of materials.
- Components — the full inventory of what your software is built from.
- Provenance — where each component came from, so you can trust the chain.
- Attestations — signed evidence about how components were built and verified.
How to use it
Use SBOM to answer supply-chain questions: "Do we ship this component anywhere?", "Can we prove where it came from?", and "Is our coverage complete enough to satisfy an auditor?" Gaps in coverage are the first thing to close — a component with no provenance is one you can't fully vouch for.
Signed bundles
On the Reports tab you can download an SBOM as a signed bundle — the SBOM wrapped in a signed attestation (an in-toto statement in a DSSE envelope) bound to the document's digest. Open the caret next to Download and choose Download signed bundle. When the signature and the digest both check out, the row shows a Verified badge; if signing isn't configured for your deployment, the report stays plainly marked as unsigned. A signed SBOM lets a customer or auditor prove the document came from Vibgrate and hasn't been altered.
SBOM vs Dependencies
SBOM is about provenance and attestation — where components came from and how we can prove it. Vulnerabilities and licenses for those components live under Dependencies. Use the two together: Dependencies tells you what's risky; SBOM tells you what you can prove.