sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94552d1626c846af4cf1703e11dabf05a04f5b5d
compliance-scanner-agent/docs/features/sbom.md
Sharang Parnerkar 94552d1626
All checks were successful
CI / Format (push) Successful in 3s
Details
CI / Clippy (push) Successful in 3m13s
Details
CI / Security Audit (push) Has been skipped
Details
CI / Tests (push) Has been skipped
Details
Add VitePress documentation site with complete user guides 
Covers getting started, repositories, scanning, findings, configuration,
SBOM, code graph, impact analysis, DAST, AI chat, issue tracker integration,
Docker deployment, environment variables, Keycloak auth, and OpenTelemetry.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 01:18:58 +01:00

107 lines
3.3 KiB
Markdown
Raw Blame History

# SBOM & License Compliance
The SBOM (Software Bill of Materials) feature provides a complete inventory of all dependencies across your repositories, with vulnerability tracking and license compliance analysis.
The SBOM page has three tabs: **Packages**, **License Compliance**, and **Compare**.
## Packages Tab
The packages tab lists all dependencies discovered during scans.
### Filtering
Use the filter bar to narrow results:
- **Repository** — Select a specific repository or view all
- **Package Manager** — npm, cargo, pip, go, maven, nuget, composer, gem
- **Search** — Filter by package name
- **Vulnerabilities** — Show all packages, only those with vulnerabilities, or only clean packages
- **License** — Filter by specific license (MIT, Apache-2.0, BSD-3-Clause, GPL-3.0, etc.)
### Package Details
Each package row shows:
| Column | Description |
|--------|-------------|
| Package | Package name |
| Version | Installed version |
| Manager | Package manager (npm, cargo, pip, etc.) |
| License | License identifier with color-coded badge |
| Vulnerabilities | Count of known vulnerabilities (click to expand) |
### Vulnerability Details
Click the vulnerability count to expand inline details showing:
- Vulnerability ID (e.g. CVE-2024-1234)
- Source database
- Severity level
- Link to the advisory
### Export
Export your SBOM in industry-standard formats:
1. Select a format:
- **CycloneDX 1.5** — JSON format widely supported by security tools
- **SPDX 2.3** — Linux Foundation standard for license compliance
2. Click **Export**
3. The SBOM downloads as a JSON file
::: tip
SBOM exports are useful for compliance audits, customer security questionnaires, and supply chain transparency requirements.
:::
## License Compliance Tab
The license compliance tab helps you understand your licensing obligations.
### Copyleft Warning
If any dependencies use copyleft licenses (GPL, AGPL, LGPL, MPL), a warning banner appears listing the affected packages and noting that they may impose distribution requirements.
### License Distribution
A horizontal bar chart visualizes the percentage breakdown of licenses across your dependencies.
### License Table
A detailed table lists every license found, with:
| Column | Description |
|--------|-------------|
| License | License identifier |
| Type | **Copyleft** or **Permissive** badge |
| Packages | List of packages using this license |
| Count | Number of packages |
**Copyleft licenses** (flagged as potentially restrictive):
- GPL-2.0, GPL-3.0
- AGPL-3.0
- LGPL-2.1, LGPL-3.0
- MPL-2.0
**Permissive licenses** (generally safe for commercial use):
- MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, etc.
## Compare Tab
Compare the dependency profiles of two repositories side by side.
1. Select **Repository A** from the first dropdown
2. Select **Repository B** from the second dropdown
3. View the diff results:
| Section | Description |
|---------|-------------|
| **Only in A** | Packages present in repo A but not in repo B |
| **Only in B** | Packages present in repo B but not in repo A |
| **Version Diffs** | Same package, different versions between repos |
| **Common** | Count of packages that match exactly |
This is useful for:
- Auditing consistency across microservices
- Identifying dependency drift between environments
- Planning dependency upgrades across projects
Reference in New Issue View Git Blame Copy Permalink