Skip to main content
SANDWORMSECURITY

Sandworm SCA

Software supply-chain security — SBOMs, CVE triage, and build provenance.

What is Sandworm SCA?

Sandworm SCA is a software supply-chain security and Software Composition Analysis (SCA) platform that ingests software bills of materials (SBOMs), maps every component to known CVEs, assesses reachability, and cryptographically verifies build provenance. It is designed for AppSec and platform engineering teams that need to track open-source risk across their code base, container images, and CI/CD pipelines without adding agents to production workloads.

  • Accepts SBOMs in CycloneDX and SPDX formats, or generates them automatically from connected repositories.
  • Provenance verification uses cryptographic attestations to confirm that a build artefact was produced by a specific CI job from a specific commit.
  • Pipeline gate policies can fail builds when Critical CVEs are introduced, before they reach production.

Connect your repositories and CI pipeline

Sandworm SCA ingests software bill-of-materials data from your source repositories and CI/CD pipelines. No agents required — connection is via read-only tokens.

  • GitHub / GitLab: install the Sandworm SCA app or generate a read-only personal access token with `repo` scope.
  • CI/CD: add the Sandworm SCA SBOM upload step to your pipeline using the provided GitHub Action or shell script.
  • Container registries: provide read-only credentials for your registry (ECR, GCR, Docker Hub) so Sandworm SCA can pull image manifests.
  • SBOM upload: if you already generate SBOMs (CycloneDX or SPDX), post them directly to the ingest endpoint.
bash
sandworm melange sbom upload --file sbom.cyclonedx.json
Sandworm never writes to your environment. All integrations use the minimum read-only permissions required.

Key concepts

Sandworm SCA provides supply-chain / SCA capabilities: SBOM generation and management, CVE triage, and build provenance verification.

  • SBOM: a software bill of materials listing all components, versions, and licences in a build artefact.
  • CVE triage: Sandworm SCA maps each component to known CVEs and scores exploitability in your specific context.
  • Provenance: cryptographic attestation that a build artefact was produced by a specific CI job from a specific commit.
  • Reachability: where possible, Sandworm SCA assesses whether a vulnerable function is reachable in your code (reducing noise from deep-transitive CVEs).
  • Policy: define acceptable CVE severity thresholds; pipeline gates can fail builds that exceed the threshold.

Your first SBOM scan

After connecting a repository, Sandworm SCA queues an SBOM generation job. Navigate to Sandworm SCA → Components to see discovered dependencies and their CVE status once the scan completes.

  • The Sandworm SCA dashboard shows a CVE severity breakdown and a trend chart of new vulnerabilities over time.
  • Click any CVE to see remediation options — available upgrades are listed with the minimum safe version.
  • Set a pipeline gate policy under Sandworm SCA → Policies to block merges when Critical CVEs are introduced.
  1. 1
    Connect a repository.

    Install the Sandworm SCA GitHub or GitLab app, or generate a read-only personal access token with repo scope and add it in Settings → Repositories.

  2. 2
    Wait for the first SBOM scan.

    Sandworm SCA queues an SBOM generation job automatically. Navigate to Sandworm SCA → Components once the scan completes (typically a few minutes) to review discovered dependencies.

  3. 3
    Set a pipeline gate policy.

    Navigate to Sandworm SCA → Policies → New Policy and set a CVE severity threshold. Enable the gate to fail CI builds that introduce new Critical CVEs.

Integrations

Sandworm SCA connects to source repositories, CI/CD pipelines, and container registries, and feeds supply-chain risk data to the broader Sandworm platform.

  • Source control: GitHub, GitLab (read-only app install or personal access token with repo scope).
  • CI/CD: GitHub Actions (native action), GitLab CI (shell script step), Jenkins (shell script step).
  • Container registries: AWS ECR, GCP Artifact Registry, Docker Hub (read-only credentials for image manifest analysis).
  • Elm (SOAR): Critical CVE findings can auto-create Elm cases assigned to the responsible development team.
  • Trust Portal: build provenance attestations are published to the public attestation index for customer verification.
  • Sandworm SIEM: supply-chain events (new Critical CVE, provenance failure) forwarded in OCSF for correlation.

API and CLI

Upload SBOMs, query CVEs, and retrieve attestations via the sandworm CLI or REST API in Sandworm SCA.

  • `sandworm melange sbom upload --file sbom.cyclonedx.json` — upload an SBOM.
  • `sandworm melange cves list --severity critical` — list critical CVEs across your portfolio.
  • `sandworm melange provenance verify --artefact <digest>` — verify build provenance.
  • REST API: see the OpenAPI spec at /api/melange/openapi.json on your deployment.
bash
sandworm melange cves list --severity critical --format table
Book a demo← Back to Sandworm SCA
Sandworm Security — One security platform, AI in every tool