SBOMs & Scanning API

Upload SBOMs, download files, trigger CVE scans, and list vulnerabilities via the API.

Manage Software Bills of Materials and vulnerability scanning programmatically.

Upload an SBOM

POST /api/sboms/upload

Scope: sboms:write

Request body:

Field	Type	Required	Description
`releaseId`	uuid	Yes	ID of the release to attach the SBOM to
`content`	string	Yes	SBOM JSON content as a string (max 10 MB)
`fileName`	string	No	Original file name (max 255 chars)

The SBOM format (CycloneDX or SPDX) is auto-detected from the content. A match job is automatically created for CVE scanning.

Example:

curl -X POST \
  -H "Authorization: Bearer cvk_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "releaseId": "uuid-of-release",
    "content": "{\"bomFormat\":\"CycloneDX\",...}",
    "fileName": "my-app-sbom.json"
  }' \
  https://cis.cveium.com/api/sboms/upload

Returns 201 with the SBOM metadata including id, format, component_count, and file_hash.

Download an SBOM

GET /api/sboms/{id}/download

Scope: sboms:read

Returns the raw SBOM file with appropriate headers:

Header	Description
`Content-Type`	`application/vnd.cyclonedx+json` or `application/spdx+json`
`Content-Disposition`	`attachment; filename="original-filename.json"`
`X-Content-Hash`	SHA-256 hash for integrity verification (if available)

Trigger CVE Scan

POST /api/cve-scan

Scope: cve:trigger

Request body:

Field	Type	Required	Description
`sbomId`	uuid	Yes	ID of the SBOM to scan

Triggers a CVE scan that matches SBOM components against the vulnerability corpus. The scan runs synchronously within this request — results are immediately available via GET /api/sboms/{id}/vulnerabilities after the call returns. Returns 202 (Accepted).

Example:

curl -X POST \
  -H "Authorization: Bearer cvk_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"sbomId": "uuid-of-sbom"}' \
  https://cis.cveium.com/api/cve-scan

List Vulnerabilities

GET /api/sboms/{id}/vulnerabilities

Scope: vulnerabilities:read

Returns all CVEs matched to the SBOM's components, along with their current disposition (if any).

Query parameters

Parameter	Type	Description
`severity`	string	Filter by severity: `critical`, `high`, `medium`, `low`, `none`
`status`	string	Filter by disposition: `affected`, `not_affected`, `fixed`, `under_investigation`, `undisposed`

Response

The response includes a summary alongside the vulnerability data:

{
  "data": [
    {
      "id": "vuln-uuid",
      "cve_id": "CVE-2021-44228",
      "component_name": "log4j-core",
      "component_version": "2.14.1",
      "severity": "CRITICAL",
      "cvss_v3_score": 10.0,
      "epss_score": 0.9756,
      "is_kev": true,
      "disposition": {
        "id": "disp-uuid",
        "status": "affected",
        "response": "update"
      }
    }
  ],
  "summary": {
    "total": 23,
    "affected": 2,
    "notAffected": 15,
    "fixed": 3,
    "underInvestigation": 1,
    "withoutDisposition": 2
  }
}

Each vulnerability includes CVSS scores (v2, v3, v4), EPSS score and percentile, KEV (Known Exploited Vulnerability) status, CWEs, affected/fixed versions, and match confidence.

Example:

curl -H "Authorization: Bearer cvk_YOUR_KEY" \
  "https://cis.cveium.com/api/sboms/{sbom-id}/vulnerabilities?severity=critical"