Software Bill of Materials (SBOM)


An SBOM is a comprehensive inventory of all the components, dependencies, and attributes associated with a software product.

In software development, SBOMs are widely used to provide transparency and traceability in the software supply chain, for risk assessment or to identify and manage security vulnerabilities and dependencies. They are also used to provide proof of compliance to licensing requirements and other legal obligations associated with the use of third-party components.

A typical SBOM holds information like:

  • Component details including the software name, version and identifier.

  • List of dependencies between different software components.

  • List of each component's vulnerabilities.

  • License types.

  • Links to documentation and project URLs.

Jit SBOM plan item

Jit's SBOM plan item scans all the components in your project's libraries, their dependencies and sub-dependencies. It then generates an all-inclusive and continually updated report holding the Library name, License and Resource of each component.

  • SBOM scans are run daily.

  • All repositories are individually scanned.

  • A scan is initiated on any change in a repository when added or removed.

  • The SBOM report is updated after each scan.


Premium user privileges

Some features of the SBOM report require Premium user privileges. If you are not a Premium user, this information is not displayed in the report.

Generating an SBOM report

  1. In the left menu, select SBOM.

  2. Optional: If you have not activated SBOM, click Activate and wait for the process to run. This may take some time. Data is displayed in the SBOM interface throughout the Activation process. For more information about SBOM activation, see Security Plan Page.

  3. Click an entry to display where the component appears in the project.

  4. Click Contact Us for more information and to learn about the Premium Users package.

Premium users

The following SBOM interface is displayed for Premium users.

  1. Click an entry to display where the component appears in the project.
  2. Search for components, for example based on library names, versions or repositories and more.
  3. Click Export report to download the SBOM report in CycloneDX JSON format.

Supported Ecosystems

Jit will scan and include components from the following ecosystems in the SBOM report:

  • Alpine (apk)
  • C (conan)
  • C++ (conan)
  • Dart (pubs)
  • Debian (dpkg)
  • Dotnet (deps.json)
  • Objective-C (cocoapods)
  • Elixir (mix)
  • Erlang (rebar3)
  • Go (go.mod, Go binaries)
  • Haskell (cabal, stack)
  • Java (jar, ear, war, par, sar, nar, native-image)
  • JavaScript (npm, yarn)
  • Jenkins Plugins (jpi, hpi)
  • Linux kernel archives (vmlinz)
  • Linux kernel modules (ko)
  • Nix (outputs in /nix/store)
  • PHP (composer)
  • Python (wheel, egg, poetry, requirements.txt)
  • Red Hat (rpm)
  • Ruby (gem)
  • Rust (cargo.lock)
  • Swift (cocoapods, swift-package-manager)
  • Wordpress plugins


Software licenses are included for every component for the following languages:

  • NodeJS
  • Go Modules
  • Python
  • PHP

*In some cases, licenses will be included for languages not specified above.