SupportSnyk LearnAPI referenceProduct updatesSign up for free

Get a Project’s SBOM document

Feature availability This feature is available to customers on Snyk Enterprise plans.

Snyk offers the endpoint Get a project's SBOM document to generate SBOM documents for Open Source and Container Projects that are continuously monitored for issues.

The SBOM document represents the latest state of a Project’s dependencies and their relationships.

SBOM documents can be generated in CycloneDX v1.4, v1.5, v1. 6 (JSON, XML) and SPDX v2.3 (JSON) formats.

How to generate the SBOM for a Project

  1. On the Snyk Web UI, retrieve your organization ID (UUID format), project ID (UUID), and API key. If you need help in finding these values, see Switch between Groups and Organizations, View and edit Project settings, and Authentication for API.

  2. Determine the format you want for the SBOM you will generate. Available options are CycloneDX 1.4 JSON (cyclonedx1.4+json), CycloneDX 1.4 XML (cyclonedx1.4+xml), CycloneDX 1.5 JSON (cyclonedx1.5+json), CycloneDX 1.5 XML (cyclonedx1.5+xml), CycloneDX 1.6 JSON (cyclonedx1.6+json), CycloneDX 1.6 XML (cyclonedx1.6+xml) or SPDX v2.3 JSON (spdx2.3+json).

  3. Using any HTTP client, for example, Postman or curl, make a request to the endpoint, specifying the latest stable version. Note that the format parameter must be URL-encoded. Example: To retrieve a CycloneDX 1.4 JSON document, set format=cyclonedx1.4%2Bjson on the query. Note that the example has a placeholder for the version; use version 2024-08-22 or later.

$ curl --location 'https://api.snyk.io/rest/orgs/<ORG_ID>/projects/<PROJECT_ID>/sbom?version=yyyy-mm-dd&format=<SBOM_FORMAT>' --header 'Authorization: token <SNYK_API_TOKEN>'

Custom CycloneDX properties

An SBOM document generated by Snyk will include some Snyk-specific metadata about what has been exported. This is included in the metadata.properties section of the document when exported as CycloneDX.

Property Name
Description

snyk:org_id

The organization ID (UUID), if applicable

snyk:collection_id

The project collection’s ID (UUID), if applicable

snyk:project_id

The project’s ID (UUID), if applicable

snyk:target_id

The target’s ID (UUID), if applicable

Troubleshooting for the endpoint Get a project's SBOM document

The following response code indicates success.

200 OK

The SBOM document was successfully generated. The response body contains the document in the requested format.

The following are error states that you may receive when using the API. If you experience issues not covered here or are having trouble resolving these, contact your Solution Engineer or Technical Success Manager or submit a request to Snyk Support.

401 Unauthorized

The authentication method, API token for Bearer token, was invalid. Check that you set the Authorization header correctly.

403 Forbidden

You do not have the permissions required to make the request. This can happen if you are not part of the requested Organization, your Organization is not entitled to use the Snyk API, or you do not have sufficient read access to the requested Project.

429 Too Many Requests

Since the Snyk API is rate-limited, an excessive number of requests will eventually start to be rejected. Wait before making any further requests.

500 Internal Server Error

The service encountered an internal system error.

PreviousSBOM APIsNextTest an SBOM document for vulnerabilities

Last updated

Was this helpful?