Key Features
Everything you need for software supply chain security
SBOM Import
Import SBOM files in CycloneDX and SPDX formats. Compatible with major tools like Syft, cdxgen, and Trivy.
Vulnerability Management
Automatically detect component vulnerabilities with NVD database integration. View by severity level.
VEX Statements
Create and manage Vulnerability Exploitability eXchange (VEX) statements. Record false positive exclusions and response status.
Compliance
Self-assessment feature to support METI (Japan) SBOM guideline response. Note: This is not an official compliance certification.
License Management
Automatic OSS license detection and policy checking. Prevent license conflicts and usage violations.
CI/CD Integration
Upload SBOMs via API from CI/CD pipelines like GitHub Actions.
IPA Integration
Integrate with IPA (Japan Information-technology Promotion Agency) security alerts. Auto-fetch domestic vulnerability information.
SBOM Diff Comparison
Compare SBOMs across versions to detect added, removed, and updated components along with new vulnerabilities.
Multilingual
Optimized for the Japanese market. UI supports both Japanese and English.
Pricing Plans
Choose a plan that fits your team size. Start with a free trial.
All prices are in JPY (Japanese Yen)
Self-hosted
Run on your own server
Cloud Starter
Cloud-hosted solution for small teams
Cloud Pro
Full-featured solution for growing teams
All Features
Explore everything SBOMHub has to offer
SBOM Management
SBOM Import
Supports CycloneDX and SPDX formats. Import from Syft, cdxgen, Trivy, and other major tools
Component Management
View all components in your project. Manage names, versions, and license information
SBOM Diff Comparison
Compare SBOMs across versions and visualize added, removed, and updated components
SBOM Sharing
Generate secure public links to share your project's SBOM with external partners
Security
Vulnerability Management
Automatically detect component vulnerabilities via NVD database integration
VEX Statements
Create and manage VEX statements. Record false positive exclusions and response status
SSVC Assessment
Prioritize vulnerabilities using CISA's SSVC framework with auto or manual assessment
KEV Integration
Integrate with CISA's Known Exploited Vulnerabilities catalog to flag active exploits
EOL Status Check
Automatically check component end-of-life status and show upgrade recommendations
License Management
Automatic OSS license detection with policy checks. Set allowed, denied, or review required
Analysis & Reporting
Dashboard
View vulnerability summary, top EPSS vulnerabilities, and project risk scores at a glance
Trend Analysis
Visualize vulnerability response metrics including MTTR and SLO achievement rates
Report Generation
Auto-generate executive, technical, and compliance reports in PDF/Excel format
Cross Search
Search all projects by CVE ID or component name to identify impact scope
Compliance
Self-assessment feature to support METI (Japan) SBOM guideline compliance
Integration & Automation
CI/CD Integration
Upload SBOMs automatically via API from GitHub Actions and other CI/CD pipelines
IPA/JVN Integration
Auto-fetch IPA security alerts and JVN vulnerability information for Japan-specific data
Ticket Integration
Create tickets directly from vulnerabilities with Jira and Backlog. Supports status sync
Notifications
Get notified via Slack, Discord, or email when new vulnerabilities are detected
MCP Server
Access SBOMHub information using natural language from Claude Desktop or Cursor
CLI Tool
Use sbomhub-cli to scan, upload, and search SBOMs from the command line
Enterprise
Audit Logs
Record and search all operation history for compliance requirements
API Key Management
Issue and manage API keys for CLI, MCP Server, and CI/CD integrations
Multilingual Support
Full Japanese and English UI support. Optimized for the Japanese market
Frequently Asked Questions
What is an SBOM?▼
An SBOM (Software Bill of Materials) is a comprehensive list of components (libraries, frameworks, etc.) that make up a piece of software. It is essential for ensuring transparency in the software supply chain, vulnerability management, and license compliance.
Is SBOMHub free to use?▼
Yes. SBOMHub is open-source software under the AGPL-3.0 license. The self-hosted version is completely free with all features included. The cloud version offers a 14-day free trial, then starts at ¥2,500/month.
What is the difference between CycloneDX and SPDX?▼
CycloneDX and SPDX are both standard SBOM formats. CycloneDX is developed by OWASP and focuses on security. SPDX is managed by the Linux Foundation and has strengths in license compliance. SBOMHub supports both formats.
What is VEX (Vulnerability Exploitability eXchange)?▼
VEX is a standard format for communicating whether a reported vulnerability actually affects your product. In SBOMHub, you can set statuses of 'Under Investigation', 'Not Affected', 'Affected', or 'Fixed' for each vulnerability, managing false positives and recording response status.
Does it support METI (Japan) SBOM guidelines?▼
SBOMHub provides a self-assessment checklist feature based on METI's 'Guide for Introducing SBOM for Software Management'. Note that this is not an official compliance certification, but a tool to support your guideline compliance efforts.
Which SBOM generation tools are supported?▼
SBOMHub supports output from major SBOM generation tools including Syft (Anchore), cdxgen (CycloneDX), and Trivy (Aqua Security). Any SBOM in CycloneDX or SPDX JSON format can be imported, regardless of the generation tool.