Skip to main content
The SBOM Workbench is a graphical user interface for scanning and auditing source code using the SCANOSS API. It simplifies the process of generating Software Bills of Materials (SBOMs) with visual component identification, license analysis, and vulnerability detection.

Installation

  1. Visit SBOM Workbench releases
  2. Download the installer for your platform:
    • macOS: .dmg file
    • Windows: .exe installer
    • Linux: .AppImage or .deb package
  3. Run the installer and follow the on-screen instructions

Getting Started

Configure API Settings

Before scanning, configure your SCANOSS API connection:
  1. Open SBOM Workbench
  2. Go to FileSettings
  3. Click on + after Knowledgebase API
  4. Enter your API details:
    • API URL: Default is https://api.osskb.org (free tier)
    • API Key: Optional for free tier, required for premium features
SBOM Workbench Settings Note: You can scan without an API key using the free SCANOSS OSS Knowledge Base. Premium features like enhanced vulnerability detection require an API key.

Create or Import a Project

Click the dropdown menu next to New Project in the Home tab to see four options: SBOM Workbench Home

New Project

Start a fresh scan of your source code repository:
  1. Click New Project
  2. Browse and select your project folder
  3. The Workbench will scan and fingerprint all files
  4. Configure project Settings
SBOM Workbench Project Settings

Import Workbench Project

Load a previously saved SBOM Workbench project:
  1. Click the arrow next to New Project
  2. Select Import Workbench Project
  3. Browse the .zip file
  4. Project loads with all previous work, identifications and decisions intact
SBOM Workbench Existing Project

Import from WFP

Import from a pre-generated fingerprint file:
  1. Click the arrow next to New Project
  2. Select Import from WFP
  3. Choose your .wfp fingerprint file
  4. The Workbench will scan the fingerprints against the SCANOSS API
SBOM Workbench WFP Project

Import from Raw Results File

Import existing SCANOSS scan results:
  1. Click the arrow next to New Project
  2. Select Import from Raw Results File
  3. Choose your results.json scan results file
  4. The Workbench loads the results directly without rescanning
SBOM Workbench Raw Project

Project Settings

After selecting New Project, configure your scan settings:
  • Give your project a descriptive, meaningful name
  • Set the default license for your project
  • Configure your SCANOSS API access
  • Integrate with SBOM Ledger for advanced tracking
  • Decompress Archives and Scan Inner Files
  • Obfuscate File Paths
  • Enable HPSM (High Precision Snippet Matching)
Project Settings

Configuration File

At the top right of the Project Settings screen, you might see: 
   No configuration file found (optional)
   Open project folder to create a scanoss.json file to customise scanning behaviour.
   [Learn More]
The scanoss.json file provides advanced configuration for:
  • Declaring known components (SBOM)
  • Ignoring specific files or paths
  • Setting file-level policies
  • Pre-approved component versions
Learn more: SCANOSS Settings File Documentation

Analysing Results

The scan will automatically begin once you click Continue. This will present a comprehensive overview. The Reports tab provides details on detected components, licenses, dependencies and vulnerabilities. Workbench Reports

Exporting SBOMs

  1. Click the Export button
  2. Select your desired format
Workbench Export