Safeguard
Compliance

What an SBOM Scanner Does and How to Choose One

An SBOM scanner reads a software bill of materials and matches every listed component against vulnerability data. Here is how that differs from source scanning and what makes one worth trusting.

Safeguard Team
Product
6 min read

An SBOM scanner takes a software bill of materials — the machine-readable inventory of every component in a piece of software — and checks each listed component and version against vulnerability databases to tell you which ones have known flaws. In other words, it decouples "what is in this software" from "is it scanning your source right now": you generate the inventory once, then the SBOM vulnerability scanner can assess it repeatedly, including for artifacts you did not build and cannot rebuild. That decoupling is the whole reason SBOM scanning has become a compliance and supply-chain staple.

If you have used a dependency scanner, an SBOM scanner will feel familiar — the vulnerability-matching half is nearly identical. The difference is the input and what that input makes possible.

SBOM scanning versus source scanning

A source-code dependency scanner reads your lockfiles and resolves the tree from your repository. It needs access to the build. An SBOM scanner reads a document — CycloneDX or SPDX — that already lists the components, and matches from there.

That distinction matters in three situations:

  • Third-party artifacts. A vendor ships you a container image or a binary with an SBOM. You cannot rebuild it, but you can scan its SBOM to see what vulnerabilities it carries before you deploy it.
  • Point-in-time attestation. An SBOM generated at build time captures exactly what shipped. Scanning that same SBOM months later tells you about newly disclosed CVEs against the artifact you actually released — the code never changed, but the vulnerability data did.
  • Compliance mandates. Frameworks and customer requirements increasingly ask for an SBOM per release. An SBOM scanner turns that document from a checkbox artifact into an ongoing monitoring input.

The two SBOM formats you will meet

Two standards dominate, and a good SBOM scanner ingests both:

  • CycloneDX (from OWASP) is security-oriented, with first-class support for vulnerability data, dependency relationships, and VEX. It is JSON or XML.
  • SPDX (a Linux Foundation / ISO standard) grew out of license compliance and is strong on provenance and licensing, with security support that has matured over time.

You generate these with tools like Syft, the CycloneDX generators for each ecosystem, or your build system's native SBOM output. The scanner's job starts once you have the document.

# Generate a CycloneDX SBOM from a container image with syft
syft my-image:latest -o cyclonedx-json > sbom.json

# Scan that SBOM for known vulnerabilities with grype
grype sbom:sbom.json

How the matching works, and where it goes wrong

Under the hood, an SBOM vulnerability scanner does what any dependency scanner does: for each component it reads a package identifier — ideally a Package URL (purl) like pkg:npm/lodash@4.17.21 — and a version, then matches that against advisory ranges from NVD, the GitHub Advisory Database, OSV, and ecosystem feeds.

The quality of your results depends heavily on the quality of the SBOM, which is the failure mode people underestimate:

  • Missing versions. A component listed without a precise version cannot be matched accurately. Garbage in, garbage out.
  • No purls. If the SBOM identifies components by free-text name only, the scanner has to guess the ecosystem, which produces both misses and false positives.
  • Incomplete inventory. If the SBOM generator missed a component (common with vendored code or unusual build steps), the scanner cannot flag what is not listed.

The lesson is that SBOM scanning is only as good as SBOM generation. A tidy-looking report against an incomplete SBOM is worse than useless because it looks like assurance.

VEX: separating "present" from "exploitable"

A component being present is not the same as your product being exploitable through it. That gap is what VEX (Vulnerability Exploitability eXchange) addresses. A VEX document lets the software producer state, per vulnerability, whether the product is actually affected — for example, "the vulnerable function is never invoked, so this CVE does not affect us."

A mature SBOM scanner consumes VEX alongside the SBOM so its output reflects real exploitability rather than raw presence. Without VEX support, you drown in "component X has CVE Y" findings that may not matter for how the software uses X. If you are evaluating tools, VEX handling is a strong differentiator.

Choosing an SBOM scanner

The practical checklist:

  1. Ingests both CycloneDX and SPDX, in JSON and XML.
  2. Enriched advisory data beyond raw NVD — OSV and GitHub advisories give tighter version ranges and fewer false positives.
  3. Reads and produces VEX so findings reflect exploitability.
  4. Continuous rescanning of stored SBOMs, so a release gets re-evaluated when new CVEs land, not just at generation time.
  5. Fits your workflow — CI integration, an API to submit SBOMs, and pricing that scales with artifacts rather than punishing you per scan.

Open source tools like Grype cover the core matching well and cost nothing to start. Commercial platforms add continuous monitoring, VEX pipelines, cross-artifact tracking, and compliance reporting. A platform such as Safeguard can store SBOMs per release and re-scan them as advisories arrive, which is the part open source scanners typically leave to you to script. If you also control the build, pairing SBOM scanning with source-based SCA gives you both the point-in-time artifact view and the live repository view — our dependency scanner guide covers the source side.

FAQ

What is the difference between an SBOM scanner and an SCA tool?

SCA typically scans your source repository, resolving dependencies from lockfiles. An SBOM scanner reads a bill-of-materials document and matches its listed components against vulnerability data. SCA needs access to your build; an SBOM scanner only needs the SBOM, which lets it assess third-party artifacts you cannot rebuild. The vulnerability-matching logic is largely shared.

Which SBOM format should I use, CycloneDX or SPDX?

CycloneDX is security-oriented with strong native support for vulnerability and VEX data, which makes it a common default for security scanning. SPDX is an ISO standard with deep licensing and provenance support. Many teams generate CycloneDX for security workflows; a good scanner reads both, so pick based on what your consumers and compliance requirements expect.

Can an SBOM scanner find vulnerabilities in software I did not build?

Yes — that is one of its main advantages. If a vendor provides an SBOM for a container image or binary, you can scan that SBOM to identify known vulnerabilities without any access to the source or build. This is why SBOM scanning is central to supply-chain and procurement security.

Why do I keep getting findings for components I do not really use?

Because component presence is not the same as exploitability. A CVE can exist in a library whose vulnerable code path your product never triggers. VEX documents let the producer mark those as not-affected, and an SBOM scanner that consumes VEX will suppress them, leaving you with findings that actually matter.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.