How It Works
SBOM management in Anchore Enterprise covers the full Software Bill of Materials (SBOM) lifecycle — from generation and import through organization, vulnerability scanning, and compliance evaluation. SBOMs can be generated from source repositories and container images using AnchoreCTL as part of a command-line or CI/CD workflow, or by submitting artifacts to the Anchore API. External SBOMs can be imported in SPDX, CycloneDX, and Syft native formats; on import, each document is validated for schema conformance and data requirements, and Anchore Enterprise calculates an SBOM Quality score based on document completeness metrics — including whether artifacts, dependencies, author, supplier, and timestamp are documented. Imported SBOMs are queued for vulnerability scanning using a first-in, first-out (FIFO) queue that performs a full rescan of the imported SBOM inventory every six hours as new vulnerability data becomes available. SBOMs can be organized into groups and versioned applications to reflect how teams build and deliver software; policy compliance can be evaluated against imported SBOMs using the Vulnerabilities gate, producing a pass or fail verdict with a summary of findings by action, severity, and allowlisted entries.
See the video below for a walkthrough of the SBOM management capabilities in Anchore Enterprise:
Specific topics related to the SBOM management framework can be referenced per the links below:
- Manage Imported SBOMs
- Observe Applications in Enterprise
- Anchore Enterprise Application Groups
- SBOM Generation and Management from Source Repository - Anchore API
Generate SBOMs for Anchore-managed Assets
You can generate SBOMs using AnchoreCTL as part of a command-line or CI/CD workflow, by pulling content from a registry, or by submitting an artifact to the Anchore API.
Once generated, SBOMs can be managed via the command line, API, or GUI — supporting grouping, annotation, and search across artifact metadata, vulnerability findings, and policy evaluation results.
Manage External SBOMs
Anchore Enterprise supports importing SBOMs generated outside of Anchore — whether from other SCA tools or vendor sources — providing comprehensive visibility across all software components, beyond what is captured through standard container analysis.
Import External SBOMs
External SBOMs can be imported in SPDX, CycloneDX, and Syft native formats. Imported SBOMs are validated for schema conformance and data requirements for vulnerability scanning.
The SBOM formats supported for upload via the experimental SBOM management features are:
- CycloneDX
- JSON: Versions 1.2–1.6
- XML: Versions 1.0–1.6
- SPDX
- JSON: Versions 2.2–2.3
- Tag-Value: Versions 2.1–2.3
- Initial SPDX 3.0 support for JSON and Tag-Value — upload and download are supported, but content and vulnerability analysis are not functional.
- Syft
Note
SBOMs produced via anchorectl distributed analysis do not meet the specifications of the above formats and are not supported for external SBOM imports.For a step-by-step guide to importing and managing SBOMs in the GUI, see Managing Imported SBOMs.
Document Insights
When importing an external SBOM, Anchore Enterprise calculates a set of document insights that describe the properties of the SBOM document, indicating various quality metrics and resulting in an overall SBOM Quality score.
Note
Support forxml and tag-value formats is achieved by converting the stored document to Syft json before inspection. Document insights are calculated based on the converted version.The metrics included in the document insights are:
- Valid Format:
- True if the given document can be identified as a valid SBOM of one of these formats:
- CycloneDX
- SPDX
- Syft
- True if the given document can be identified as a valid SBOM of one of these formats:
- Valid Schema:
- True if the filetype can be identified as one of:
- json
- xml
- spdx (tag-value)
- True if the filetype can be identified as one of:
- Supported Format:
- True if the given document format is within the set of formats that Anchore Enterprise can inspect for further insights. This set is:
- CycloneDX
- SPDX
- Syft
- True if the given document format is within the set of formats that Anchore Enterprise can inspect for further insights. This set is:
- Supported Schema:
- True if the given document filetype is within the set of filetypes that Anchore Enterprise can inspect for further insights. This set is:
- json
- xml
- spdx (tag-value)
- True if the given document filetype is within the set of filetypes that Anchore Enterprise can inspect for further insights. This set is:
- Artifacts Documented:
- True if the given document contains a set of artifacts or packages.
- CycloneDX
- True if the document contains a
componentslist of non-zero length.
- True if the document contains a
- SPDX
- True if the document contains a
packageslist of non-zero length.
- True if the document contains a
- Syft
- True if the document contains an
artifactslist of non-zero length.
- True if the document contains an
- CycloneDX
- True if the given document contains a set of artifacts or packages.
- Dependencies Documented:
- True if the given document contains a set of dependencies.
- CycloneDX
- True if the document contains a
dependencieslist of non-zero length.
- True if the document contains a
- SPDX
- True if the document contains a
relationshipslist of non-zero length.
- True if the document contains a
- Syft
- True if the document contains an
artifactRelationshipslist of non-zero length.
- True if the document contains an
- CycloneDX
- True if the given document contains a set of dependencies.
- Author Documented:
- True if the given document contains metadata on the author of the document.
- CycloneDX
- True if the
metadataobject of the given document contains either a non-nullmanufacturervalue or anauthorslist of non-zero length.
- True if the
- SPDX
- True if the
creationInfoobject of the given document contains acreatorslist of non-zero length.
- True if the
- Syft
- Not present in the Syft specification.
- CycloneDX
- True if the given document contains metadata on the author of the document.
- Supplier Documented:
- True if the given document contains metadata on the supplier of the artifacts.
- CycloneDX
- True if the
metadataobject of the given document contains a non-nullsuppliervalue.
- True if the
- SPDX
- True if entries in the
packageslist of the given document contain asuppliervalue that is not empty and is not equal toNOASSERTION.
- True if entries in the
- Syft
- Not present in the Syft specification.
- CycloneDX
- True if the given document contains metadata on the supplier of the artifacts.
- Document Timestamp:
- True if the given document contains metadata on the creation date-time of the document.
- CycloneDX
- True if the
metadataobject of the given document contains a non-nulltimestampvalue.
- True if the
- SPDX
- True if the
creationInfoobject of the given document contains a non-nullcreatedvalue.
- True if the
- Syft
- Not present in the Syft specification.
- CycloneDX
- True if the given document contains metadata on the creation date-time of the document.
- SBOM Quality:
- The percentage of the above metrics that are True for the given document.
Performance Considerations
Though no explicit limits are enforced, 10,000 SBOMs and 1,000 groups have been used as the target for optimal performance.
The SBOM scanning queue performs a full rescan of the imported SBOM inventory every six hours using a first-in, first-out (FIFO) queue, meaning the oldest SBOMs are scanned first.
For more information on the performance and configuration of the scanning queue, see Imported SBOM Scanning.
SBOM Management API (Experimental)
Appropriate user permissions are required to access these API endpoints.
Last modified April 29, 2026