SBOM
Create an SBOM test run by supplying an SBOM document. The components contained in the given document will get analyzed for known vulnerabilities. In order for component identification to be successful, they must have a PackageURL (purl) of a supported purl type assigned. Analysis will be skipped for any component that does not fulfill this requirement. Supported SBOM formats: CycloneDX 1.4 JSON, CycloneDX 1.5 JSON, CycloneDX 1.6 JSON, SPDX 2.3 JSON Supported purl types: apk, cargo, cocoapods, composer, conan, deb, gem, generic, golang, hex, maven, npm, nuget, pub, pypi, rpm, swift
Required permissions
Test Projects (org.project.test)
API key value must be prefixed with "Token ".
Org ID
Requested API version
2025-11-05Pattern: ^(wip|work-in-progress|experimental|beta|((([0-9]{4})-([0-1][0-9]))-((3[01])|(0[1-9])|([12][0-9]))(~(wip|work-in-progress|experimental|beta))?))$Created SBOM test successfully
Bad Request: A parameter provided as a part of the request was invalid.
Unauthorized: the request requires an authentication token.
Forbidden: the request requires an authentication token with more or different permissions.
Not Found: The resource being operated on could not be found.
Conflict: The requested operation conflicts with the current state of the resource in some way.
Internal Server Error: An error was encountered while attempting to process the request.
POST /rest/orgs/{org_id}/sbom_tests?version=2025-11-05 HTTP/1.1
Host: api.snyk.io
Authorization: YOUR_API_KEY
Content-Type: application/vnd.api+json
Accept: */*
Content-Length: 105
{
"data": {
"attributes": {
"format": "text",
"sbom": {
"ANY_ADDITIONAL_PROPERTY": "anything"
}
},
"type": "resource"
}
}{
"data": {
"id": "d5b640e5-d88c-4c17-9bf0-93597b7a1ce2",
"type": "resource"
},
"jsonapi": {
"version": "1.0"
},
"links": {
"first": "https://example.com/api/resource",
"last": "https://example.com/api/resource",
"next": "https://example.com/api/resource",
"prev": "https://example.com/api/resource",
"related": "https://example.com/api/resource",
"self": "https://example.com/api/resource"
}
}Get an SBOM test run status
Required permissions
Test Projects (org.project.test)
API key value must be prefixed with "Token ".
Org ID
Job ID
Requested API version
2025-11-05Pattern: ^(wip|work-in-progress|experimental|beta|((([0-9]{4})-([0-1][0-9]))-((3[01])|(0[1-9])|([12][0-9]))(~(wip|work-in-progress|experimental|beta))?))$SBOM test run status
Bad Request: A parameter provided as a part of the request was invalid.
Unauthorized: the request requires an authentication token.
Forbidden: the request requires an authentication token with more or different permissions.
Not Found: The resource being operated on could not be found.
Conflict: The requested operation conflicts with the current state of the resource in some way.
Internal Server Error: An error was encountered while attempting to process the request.
GET /rest/orgs/{org_id}/sbom_tests/{job_id}?version=2025-11-05 HTTP/1.1
Host: api.snyk.io
Authorization: YOUR_API_KEY
Accept: */*
{
"data": {
"attributes": {
"status": "processing"
},
"id": "123e4567-e89b-12d3-a456-426614174000",
"type": "resource"
},
"jsonapi": {
"version": "1.0"
},
"links": {
"first": "https://example.com/api/resource",
"last": "https://example.com/api/resource",
"next": "https://example.com/api/resource",
"prev": "https://example.com/api/resource",
"related": "https://example.com/api/resource",
"self": "https://example.com/api/resource"
}
}Get an SBOM test run result
Required permissions
Test Projects (org.project.test)
API key value must be prefixed with "Token ".
Org ID
Job ID
Requested API version
2025-11-05Pattern: ^(wip|work-in-progress|experimental|beta|((([0-9]{4})-([0-1][0-9]))-((3[01])|(0[1-9])|([12][0-9]))(~(wip|work-in-progress|experimental|beta))?))$Return the page of results immediately after this cursor
v1.eyJpZCI6IjEwMDAifQo=Return the page of results immediately before this cursor
v1.eyJpZCI6IjExMDAifQo=Number of results to return per page
10Example: 10SBOM test results
GET /rest/orgs/{org_id}/sbom_tests/{job_id}/results?version=2025-11-05 HTTP/1.1
Host: api.snyk.io
Authorization: YOUR_API_KEY
Accept: */*
SBOM test results
{
"ANY_ADDITIONAL_PROPERTY": "anything"
}This endpoint lets you retrieve the SBOM document of a software project. It supports the following formats:
- CycloneDX version 1.6 in JSON (set
formattocyclonedx1.6+json). - CycloneDX version 1.6 in XML (set
formattocyclonedx1.6+xml). - CycloneDX version 1.5 in JSON (set
formattocyclonedx1.5+json). - CycloneDX version 1.5 in XML (set
formattocyclonedx1.5+xml). - CycloneDX version 1.4 in JSON (set
formattocyclonedx1.4+json). - CycloneDX version 1.4 in XML (set
formattocyclonedx1.4+xml). - SPDX version 2.3 in JSON (set
formattospdx2.3+json).
By default it will respond with an empty JSON:API response.
Required permissions
View Project history (org.project.snapshot.read)
API key value must be prefixed with "Token ".
Unique identifier for an organization
Unique identifier for a project
Requested API version
2025-11-05Pattern: ^(wip|work-in-progress|experimental|beta|((([0-9]{4})-([0-1][0-9]))-((3[01])|(0[1-9])|([12][0-9]))(~(wip|work-in-progress|experimental|beta))?))$The desired SBOM format of the response.
cyclonedx1.6+jsonPossible values: Returns the SBOM document of a project
Bad Request: A parameter provided as a part of the request was invalid.
Unauthorized: the request requires an authentication token.
Forbidden: the request requires an authentication token with more or different permissions.
Not Found: The resource being operated on could not be found.
Conflict: The requested operation conflicts with the current state of the resource in some way.
Internal Server Error: An error was encountered while attempting to process the request.
GET /rest/orgs/{org_id}/projects/{project_id}/sbom?version=2025-11-05 HTTP/1.1
Host: api.snyk.io
Authorization: YOUR_API_KEY
Accept: */*
{
"ANY_ADDITIONAL_PROPERTY": "anything"
}Last updated
Was this helpful?