c253e4ef5e
Some checks failed
CI / Clippy (push) Failing after 2m49s
CI / Security Audit (push) Has been skipped
CI / Tests (push) Has been skipped
CI / Detect Changes (push) Has been skipped
CI / Format (pull_request) Successful in 3s
CI / Clippy (pull_request) Failing after 2m52s
CI / Security Audit (pull_request) Has been skipped
CI / Tests (pull_request) Has been skipped
CI / Format (push) Successful in 3s
CI / Deploy Agent (push) Has been skipped
CI / Deploy Dashboard (push) Has been skipped
CI / Deploy Docs (push) Has been skipped
CI / Deploy MCP (push) Has been skipped
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
Rewrite all public documentation to be user-facing only: - Remove deployment, configuration, and self-hosting sections - Add guide pages for SBOM, issues, webhooks & PR reviews - Add reference pages for glossary and tools/scanners - Add 12 screenshots from live dashboard - Explain MCP, LLM triage, false positives, human-in-the-loop Fix edit repository modal not scrollable (max-height + overflow-y). Show full webhook URL using window.location.origin instead of path. Unset RUSTC_WRAPPER in agent cargo commands to avoid sccache errors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
112 lines
4.3 KiB
Markdown
112 lines
4.3 KiB
Markdown
# SBOM & Licenses
|
|
|
|
The SBOM (Software Bill of Materials) feature provides a complete inventory of all dependencies across your repositories, with vulnerability tracking and license compliance analysis.
|
|
|
|
## What is an SBOM?
|
|
|
|
A Software Bill of Materials is a list of every component (library, package, framework) that your software depends on, along with version numbers, licenses, and known vulnerabilities. SBOMs are increasingly required for compliance audits, customer security questionnaires, and supply chain transparency.
|
|
|
|
Certifai generates SBOMs automatically during each scan using Syft for dependency extraction and Grype for vulnerability matching.
|
|
|
|
## Packages Tab
|
|
|
|
Navigate to **SBOM** in the sidebar to see the packages tab, which lists all dependencies discovered during scans.
|
|
|
|
|
|
|
|
### Filtering
|
|
|
|
Use the filter bar to narrow results:
|
|
|
|
- **Repository** -- select a specific repository or view all
|
|
- **Package Manager** -- npm, cargo, pip, go, maven, nuget, composer, gem
|
|
- **Search** -- filter by package name
|
|
- **Vulnerabilities** -- show all packages, only those with vulnerabilities, or only clean packages
|
|
- **License** -- filter by specific license (MIT, Apache-2.0, BSD-3-Clause, GPL-3.0, etc.)
|
|
|
|
### Package Details
|
|
|
|
Each package row shows:
|
|
|
|
| Column | Description |
|
|
|--------|-------------|
|
|
| Package | Package name |
|
|
| Version | Installed version |
|
|
| Manager | Package manager (npm, cargo, pip, etc.) |
|
|
| License | License identifier with color-coded badge |
|
|
| Vulnerabilities | Count of known vulnerabilities (click to expand) |
|
|
|
|
### Vulnerability Details
|
|
|
|
Click the vulnerability count on any package to expand inline details showing:
|
|
|
|
- Vulnerability ID (e.g. CVE-2024-1234)
|
|
- Source database
|
|
- Severity level
|
|
- Link to the advisory
|
|
|
|
## License Compliance Tab
|
|
|
|
The license compliance tab helps you understand your licensing obligations across all dependencies.
|
|
|
|
|
|
|
|
### Copyleft Warnings
|
|
|
|
If any dependencies use copyleft licenses (GPL, AGPL, LGPL, MPL), a warning banner appears listing the affected packages. Copyleft licenses may impose distribution requirements on your software.
|
|
|
|
::: warning
|
|
Copyleft-licensed dependencies can require you to release your source code under the same license. Review flagged packages carefully with your legal team if you distribute proprietary software.
|
|
:::
|
|
|
|
### License Distribution
|
|
|
|
A horizontal bar chart visualizes the percentage breakdown of licenses across your dependencies, giving you a quick overview of your licensing profile.
|
|
|
|
### License Table
|
|
|
|
A detailed table lists every license found:
|
|
|
|
| Column | Description |
|
|
|--------|-------------|
|
|
| License | License identifier |
|
|
| Type | **Copyleft** or **Permissive** badge |
|
|
| Packages | List of packages using this license |
|
|
| Count | Number of packages |
|
|
|
|
**Copyleft licenses** (flagged as potentially restrictive): GPL-2.0, GPL-3.0, AGPL-3.0, LGPL-2.1, LGPL-3.0, MPL-2.0
|
|
|
|
**Permissive licenses** (generally safe for commercial use): MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, and others
|
|
|
|
## Export
|
|
|
|
You can export your SBOM in industry-standard formats:
|
|
|
|
1. Select a repository (or export across all repositories)
|
|
2. Choose a format:
|
|
- **CycloneDX 1.5** -- JSON format widely supported by security tools
|
|
- **SPDX 2.3** -- Linux Foundation standard for license compliance
|
|
3. Click **Export**
|
|
4. The SBOM downloads as a JSON file
|
|
|
|
::: tip
|
|
SBOM exports are useful for compliance audits, customer security questionnaires, government procurement requirements, and supply chain transparency.
|
|
:::
|
|
|
|
## Compare Tab
|
|
|
|
Compare the dependency profiles of two repositories side by side:
|
|
|
|
1. Select **Repository A** from the first dropdown
|
|
2. Select **Repository B** from the second dropdown
|
|
3. View the comparison results:
|
|
|
|
| Section | Description |
|
|
|---------|-------------|
|
|
| **Only in A** | Packages present in repo A but not in repo B |
|
|
| **Only in B** | Packages present in repo B but not in repo A |
|
|
| **Version Diffs** | Same package with different versions between repos |
|
|
| **Common** | Count of packages that match exactly |
|
|
|
|
This is useful for auditing consistency across microservices, identifying dependency drift, and planning coordinated upgrades.
|