SBOM Export API¶
Programmatic SBOM export in CycloneDX 1.5, SPDX 2.3, and STIX 2.1 formats.
Endpoints¶
All three endpoints share the same query parameters and auth. They differ only in the format of the returned body.
Authentication¶
Required. Uses the same API key as the rest of the SentriKat API. See Authentication for key management.
Query parameters¶
| Parameter | Type | Required | Description |
|---|---|---|---|
organization | string | yes (or product) | Organization slug to scope the export |
product | string | no | Restrict to one product within the organization |
scan_id | uuid | no | Pin to a specific scan run (reproducible builds) |
include_dev | bool | no, default false | Include dev-only dependencies |
exclude_licenses | bool | no, default false | Strip SPDX license identifiers (smaller output) |
At least one of organization or product must be provided.
Response: CycloneDX¶
Content-Type: application/vnd.cyclonedx+json; version=1.5
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:3e671187-...",
"version": 1,
"metadata": {
"timestamp": "2026-04-15T09:00:00Z",
"tools": [
{ "vendor": "SentriKat", "name": "SentriKat", "version": "2026.04.1" }
],
"component": {
"type": "application",
"name": "acme-backend",
"version": "1.2.3"
}
},
"components": [
{
"type": "library",
"name": "express",
"version": "4.18.2",
"purl": "pkg:npm/[email protected]",
"licenses": [{ "license": { "id": "MIT" } }]
}
],
"vulnerabilities": [
{
"id": "CVE-2024-12345",
"source": { "name": "CISA KEV" },
"ratings": [
{ "source": { "name": "EPSS" }, "score": 0.87, "method": "other" }
],
"affects": [{ "ref": "pkg:npm/[email protected]" }]
}
],
"integrity": {
"algorithm": "HMAC-SHA256",
"signature": "a1b2c3..."
}
}
Response: SPDX¶
Content-Type: application/spdx+json; version=2.3
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "acme-backend",
"documentNamespace": "https://sentrikat.com/sbom/acme/backend/20260415",
"creationInfo": {
"created": "2026-04-15T09:00:00Z",
"creators": ["Tool: SentriKat-2026.04.1"]
},
"packages": [
{
"SPDXID": "SPDXRef-Package-express",
"name": "express",
"versionInfo": "4.18.2",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "MIT",
"licenseDeclared": "MIT",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:expressjs:express:4.18.2:*:*:*:*:*:*:*"
}
]
}
]
}
Response: STIX 2.1¶
Content-Type: application/stix+json; version=2.1
{
"type": "bundle",
"id": "bundle--3e671187-...",
"objects": [
{
"type": "software",
"spec_version": "2.1",
"id": "software--abc-...",
"name": "express",
"version": "4.18.2",
"vendor": "expressjs",
"cpe": "cpe:2.3:a:expressjs:express:4.18.2:*:*:*:*:*:*:*"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--def-...",
"name": "CVE-2024-12345",
"external_references": [
{ "source_name": "cve", "external_id": "CVE-2024-12345" }
]
}
]
}
Error responses¶
| Status | Reason |
|---|---|
| 400 | Missing both organization and product, or invalid scan_id |
| 401 | Missing or invalid API key |
| 403 | API key does not have access to the requested scope |
| 404 | Organization or product not found |
| 413 | Scope too large (> 10 000 components). Split by product. |
| 500 | Schema validation failure (should never happen in normal operation) |
Rate limits¶
60 requests/minute per API key. SBOM generation is O(N) in component count; exports of large orgs can take a few seconds.
See also¶
- SBOM Export user guide — UI workflow and integration examples
- Authentication — API key management