Downloading SBOMs

Download the original SBOM file for a release via the web interface or API.

You can download the original SBOM file that was uploaded for a release. This is useful for sharing with partners, auditors, or integrating with other tools.

Download from the web interface

Navigate to the release page
Open the SBOM tab
Click the Download button

The browser will download the original JSON file with the appropriate filename.

Download via the API

For programmatic access, use the SBOM download endpoint:

GET /api/sboms/{id}/download

This endpoint requires authentication. The response includes:

The original SBOM JSON content
Content-Type header matching the format (application/vnd.cyclonedx+json or application/spdx+json)
Content-Disposition header with the original filename
X-Content-Hash header with the SHA-256 hash for integrity verification

See the SBOM Download API reference for details.

Integrity verification

Every SBOM upload generates a SHA-256 hash stored alongside the file. When downloading, compare the X-Content-Hash response header against the hash displayed on the SBOM page to verify the file has not been modified.