Comment on page
REST API endpoint: Get a project’s SBOM document
Feature availability
This feature is available to customers on Snyk Enterprise plans.
Snyk offers an endpoint to generate SBOM documents for Open Source and Container Projects that are continuously being monitored for issues.
The SBOM document represents the latest state of a project’s dependencies and their relationships.
- 1.On the Snyk Web UI, retrieve your organization ID (UUID format), project ID (UUID) and API key. If you need help in finding these values, see Group and Organization navigation, View project settings, and Authentication for API.
- 2.Determine the format you want for the SBOM you will generate. Available options are CycloneDX 1.4 JSON (
cyclonedx1.4+json
), CycloneDX 1.4 XML (cyclonedx1.4+xml
) or SPDX v2.3 JSON (spdx2.3+json
). - 3.Using any HTTP client, for example, Postman or
curl
, make a request to the endpoint. Note that theformat
parameter must be URL-encoded. Example: To retrieve a CycloneDX 1.4 JSON document, setformat=cyclonedx1.4%2Bjson
on the query.
$ curl --get \
-H "Authorization: token <SNYK_API_TOKEN>" \
--data-urlencode "version=2023-03-20" \
--data-urlencode "format=<SBOM_FORMAT>" \
https://api.snyk.io/rest/orgs/<ORG_ID>/projects/<PROJECT_ID>/sbom
A Snyk project’s SBOM document will include some Snyk-specific metadata about the SBOM document. This is included in the
metadata
section of the document when exported as CycloneDX.Property Name | Description |
---|---|
snyk:org_id | The organization ID (UUID) to which the project belongs |
snyk:project_id | The project’s ID (UUID) |
The following response code indicates success.
200 OK
The SBOM document was successfully generated. The response body contains the document in the requested format.
The following are error states that you may receive when using the API. If you experience issues not covered here or are having trouble resolving these, contact your Solution Engineer or Technical Success Manager, or submit a request to Snyk Support.
401 Unauthorized
The authentication method, API token for Bearer token, was invalid. Check that you set the Authorization header correctly.
403 Forbidden
You do not have the permissions required to make the request. This can happen if you are not part of the requested Organization, your Organization is not entitled to use the Snyk API, or you do not have sufficient read access to the requested Project.
429 Too Many Requests
Since the Snyk API is rate-limited, an excessive number of requests will eventually start to be rejected. You need to wait before making any further requests.
500 Internal Server Error
The service encountered an internal system error.