Software Bill of Materials

Generate a complete software inventory.

Build a complete software inventory (SBOM) with dependency trust scores and quality assessment.

Lumstep software inventory dashboard listing tracked packages, versions, and licenses

Why SBOM matters

Auditors and regulators will ask for this. Have it ready.

The EU Cyber Resilience Act requires software vendors to maintain and share SBOMs by December 2027. NIS2 and SOC 2 Type II supply chain evidence all point the same direction. Beyond compliance, an SBOM is how you answer "are we affected?" in minutes instead of days the next time a package makes headlines - and how license conflicts get caught before legal or an auditor finds them.

  • Audit-ready evidence for CRA, NIS2, and SOC 2 Type II, generated automatically
  • Surface license conflicts or restrictive licenses for early review
  • Track your exposure to newly disclosed vulnerabilities across your dependencies
Compliance coverage
EU Cyber Resilience ActSBOM required by Dec 2027
Covered
NIS2Supply chain evidence required
Covered
SOC 2 Type IISupply chain evidence required
Covered
gpl-licensed-lib 2.1.0GPL-3.0 conflict detected
Flagged
Compliance status3 of 3 frameworks covered →
Generate & score

A complete SBOM, graded before sharing.

On every scan, generates a complete software inventory: every direct and transitive package. Assesses its quality, track dependencies and licenses, assign a trust score to each dependency, measure completeness and accuracy

  • Generate a complete software inventory, including direct and transitive dependencies
  • Track dependencies and licenses, with a trust score for every dependency
  • Assess inventory quality through completeness and accuracy metrics
acme/payments-api312 components resolved
express4.19.2 · MIT
Clean
lodash.template4.5.0 · unknown license
Review
node-forge1.3.1 · BSD-3-Clause
Clean
gpl-licensed-lib2.1.0 · GPL-3.0
GPL conflict
SBOM quality scoreA - 8.5/10
Export & share

Export in the required format.

Every SBOM is generated in both CycloneDX and SPDX - the two formats legal teams, auditors, and regulators expect. Export it straight from your dashboard the moment it's requested, with no extra tooling and no reformatting.

  • Generate SBOMs and export directly from your dashboard when needed
  • Share standardized outputs without reformatting or extra tooling
Export formats
CycloneDXJSON, OWASP standard
Ready
SPDXISO/IEC 5962 standard
Ready
RecipientsLegal, auditors, procurement →
License insight

Identify license risks early.

Review license information for every dependency from a single software inventory. Identify dependencies that may require additional review for compliance or distribution.

  • Centralize dependency and license info in one inventory for faster reviews
  • Identify dependencies needing further review for compliance or distribution
License breakdown
MIT184 packages
Clean
Apache-2.056 packages
Clean
GPL-3.01 package
Conflict
Unknown3 packages
Review
License risk4 flagged of 244 →

Generate your first SBOM in minutes.

Free early access. Your SBOM is ready on the first scan, with no extra configuration.

Get early access