Skip to content

Upload SBOM

POST
/service/{service}/version/sbom

Upload a Software Bill of Materials (SBOM) for a service version to enable vulnerability analysis. The SBOM can be uploaded during the build step before deployment (e.g., in CI/CD pipeline) or after the service has already been deployed. Multiple SBOMs can be uploaded for the same service version to track vulnerabilities across different components or images.

For usage examples, see the SBOM documentation.

Important considerations:

  • Provide both version and image when possible. At least one is required.
  • If both are provided, version is used. If only image is provided, bifrost derives the service version from the image tag or digest.
  • Ensure the provided version or image matches what is used during deployment.
  • The SBOM must be valid JSON in either CycloneDX or SPDX format. Invalid formats will result in a 415 error.
service
required
string

Service name or ID

version
string

Service version name or alias. Recommended together with image; required when image is not provided.

image
string

Container image reference used to derive the version from the image tag or digest. Recommended together with version; required when version is not provided.

SBOM content in JSON format (CycloneDX or SPDX)

SBOM JSON document in CycloneDX or SPDX format

object

SBOM uploaded successfully

Invalid request

Access token is missing or invalid

Request failure

object
errorMessage
string

Unknown service

Invalid SBOM format: must be a valid SPDX or CycloneDX document