SBOM Export¶

SentriKat generates Software Bill of Materials (SBOM) exports in three industry-standard formats so your compliance team, your customers, and your regulators can consume them with whatever tooling they already have.

Why it matters: the EU Cyber Resilience Act (CRA) enters into force on 11 September 2026 and mandates SBOM availability for products sold on the EU single market. SentriKat ships SBOM export out of the box so you're compliant from day one.

Supported formats¶

Format	Version	Best for
CycloneDX	1.5 (JSON)	OWASP ecosystem, Dependency-Track, Anchore, Trivy, Snyk import
SPDX	2.3 (JSON)	Linux Foundation ecosystem, FOSSA, compliance-focused legal review
STIX	2.1 (JSON)	Threat-intel ecosystem, MITRE TAXII servers, SIEM import

All three formats ship with the same vulnerability context:

Exact component versions resolved from the agent / SCA scanner
KEV / EPSS / CVSS enrichment per component
EU ENISA EUVD cross-references where applicable
Discovery timestamp and source (agent ID, scan run ID)

Export from the UI¶

Go to Products → select a product or organization.
Click the SBOM button in the toolbar.
Pick the format (CycloneDX / SPDX / STIX) from the dropdown.
Click Download — the browser saves a .json file.

The filename convention is:

sentrikat-sbom-{organization}-{product}-{format}-{YYYYMMDD}.json

For example:

sentrikat-sbom-acme-backend-cyclonedx-20260415.json

What gets included¶

All components discovered by agents for the selected scope
All components imported from lockfiles (SCA) for the selected scope
KEV-flagged and EPSS > 0.01 findings with full references
License metadata when known (SPDX identifier)

What is NOT included¶

Raw agent telemetry or host identifiers (privacy-safe export)
Credentials, secrets, or any runtime configuration
Components below the configured noise threshold (e.g. dev-only dependencies if you set excludeDev=true in the org settings)

Export via API¶

See the SBOM Export API page for the full endpoint reference. Quick example using curl:

curl -sf \
  -H "Authorization: Bearer $SENTRIKAT_API_KEY" \
  "https://sentrikat.example.com/api/sbom/export/cyclonedx?organization=acme&product=backend" \
  -o sbom.json

The API supports the same three formats plus an optional scan_id parameter to pin the export to a specific scan run (useful for reproducible builds).

Integrity & signing¶

Every SBOM export is generated with a deterministic serialization so you can run the same export twice and get byte-identical output. This makes downstream integrity checks straightforward:

HMAC-SHA256 integrity block: the API response includes an integrity field with a signature of the canonical body, using the organization's integrity key (rotatable from the admin panel).
Timestamp: all exports embed an ISO-8601 generated_at field.
Source pinning: the metadata.component.version field records the SentriKat version that produced the export.

Sample CycloneDX metadata block:

{
  "metadata": {
    "timestamp": "2026-04-15T09:00:00Z",
    "tools": [
      { "vendor": "SentriKat", "name": "SentriKat", "version": "2026.04.1" }
    ],
    "component": {
      "type": "application",
      "name": "acme-backend",
      "version": "1.2.3"
    }
  }
}

Validation¶

All three formats are validated before download so you never ship a broken SBOM:

CycloneDX: validated against the OWASP CycloneDX 1.5 JSON schema
SPDX: validated against the SPDX 2.3 JSON schema
STIX: validated against the OASIS STIX 2.1 JSON schema

If validation fails (which should never happen in normal use), the API returns a 500 with the validation error detail instead of a corrupt file.

Automation¶

Typical CI/CD integration patterns:

GitHub Actions¶

- name: Export SBOM
  run: |
    curl -sf \
      -H "Authorization: Bearer ${{ secrets.SENTRIKAT_API_KEY }}" \
      "https://sentrikat.example.com/api/sbom/export/cyclonedx?product=${GITHUB_REPOSITORY}" \
      -o dist/sbom.json
- name: Upload SBOM to release
  uses: actions/upload-release-asset@v1
  with:
    asset_path: dist/sbom.json
    asset_name: sbom.json
    asset_content_type: application/json

GitLab CI¶

sbom:
  stage: release
  script:
    - curl -sf -H "Authorization: Bearer $SENTRIKAT_API_KEY"
        "https://sentrikat.example.com/api/sbom/export/spdx?product=$CI_PROJECT_PATH_SLUG"
        -o sbom.json
  artifacts:
    paths:
      - sbom.json

Troubleshooting¶

"Product not found"¶

The product identifier in the query must match a product configured in SentriKat. Check the Products page for the exact slug.

"Scope too broad"¶

Exports over very large scopes (1000+ components) are rejected with 413. Split the export by product or organization. For true enterprise scopes, contact sales for batch export via the scan_id parameter.

Validation errors¶

The export passes internal schema validation before being returned, so a downstream validator complaining usually means the downstream tool is running an older schema version. Check the validator version matches CycloneDX 1.5 / SPDX 2.3 / STIX 2.1.