SBOMs and Dependencies
Every scan produces an SBOM as a side-effect of dependency extraction. HarborGuard merges per-image SBOMs into a single org-wide dependency inventory, where each unique package surfaces with the images it appears in, all observed versions, license metadata, and any vulnerabilities tied to it.
Ecosystems
The inventory tracks packages across every ecosystem your scanners detect:
| Ecosystem | Typical source |
|---|---|
deb | Debian/Ubuntu apt packages |
apk | Alpine apk packages |
rpm | RHEL / Fedora / Amazon Linux |
npm | Node.js |
pip | Python |
gem | Ruby |
go | Go modules |
cargo | Rust |
maven | Java |
Filter the dependencies view by ecosystem with ?type=npm, by image with ?imageId=..., or by package name substring with ?q=....
Export formats
| Format | Endpoint | Notes |
|---|---|---|
| CSV | GET /api/dependencies/export | One row per package; columns include name, type, all observed versions, license, PURL, image count, and vulnerability counts. |
| CycloneDX JSON | Per-scan SBOM artifact | Generated alongside each scan and attached to the scan record. |
| SPDX JSON | Per-scan SBOM artifact | Same per-scan attachment, alternative format. |
To pull the org-wide CSV:
CycloneDX and SPDX bundles for individual scans are linked from the scan detail page and from the sboms section of any compliance report that includes it.
License tracking
For every package the inventory records the SPDX license identifier reported by the scanner (when available). The dependency table can be sorted and filtered by license to spot, for example, every GPL-3.0 package across your fleet, or anything where the license string is empty (typical for first-party / private packages).
License data also feeds the licenseCounts metric used by the SOC 2 CC9.2 (vendor / third-party) control and by custom report sections.
What gets merged
Two packages are considered the same dependency when:
- The package name matches exactly, and
- The ecosystem (
type) matches exactly.
Versions are stored as a set on the merged record, so a single dependency row may show multiple images with multiple versions. The versions column in the CSV export concatenates them with ; separators.
Vulnerabilities are tied to the package + version pair, not just the package name — the dependency view's vulnCount reflects only versions you actually have deployed.
See also
- Vulnerabilities Dashboard — how SBOM packages map to findings
- Compliance: Report Builder — including SBOM artifacts in evidence
- Attestations — license-based exceptions