SBOM / VEX Import
SBOM and VEX import is live and vendor-agnostic: upload what your existing SCA scanner already produces (CycloneDX, SPDX, or VEX/CSAF VEX) and Vibgrate enriches its Risk Register without duplicating reachability analysis.
What's live today
POST /v1/workspaces/:workspaceId/integrations/sbom/import accepts CycloneDX 1.4-1.6 (JSON), SPDX 2.2/2.3 (JSON), CycloneDX VEX, and CSAF VEX, auto-detecting format. VEX not_affected/fixed statuses suppress or de-rank the matching vulnerability so remediation prioritizes reachable, exploitable risk. Every import is audited and the full normalized result is archived and retrievable.
What's still coming
Live API adapters for Snyk, Endor Labs, and Socket that call the vendor API directly (instead of requiring a file upload) are the next phase — see the Enterprise Integration Plan.