Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
ProductsSBOM

Know every dependency in your software

A continuously updated dependency inventory with vulnerability intelligence — built for CERT-In, RBI, and SEBI compliance.

Get started
dependency_graph.json
$ npx o3-sbom scan --json
// Audit summary of packages
{
"totalDependencies": 248,
"direct": 18,
"transitive": 230,
"licenses": {
"approved": 248,
"unresolved": 0
}
}
DEPENDENCY RADAR
CycloneDX 1.6
99%
248/249
Safe & Audited Packages
[email protected]Direct · MIT License
Secure
[email protected]Transitive · MIT
1 High CVE
[email protected]Direct · MIT License
Secure
DEPENDENCY INVENTORY

Full dependency visibility. Direct, and deep transitive.

O3 maps every layer of your dependency tree — not just what your code imports, but everything those packages pull in recursively.

your-appv2.4.1
your code
installs
expressv4.18.2
direct
installs
qsv6.11.0
transitive
O3 captures each as a separate inventory record
ComponentVersionDepthLicenseVulnerabilityPatch status
express4.18.2directMIT
None
Up to date
qs6.11.0transitiveBSD-3
CVE-2022-24999
Patch available
AUTOMATED POSTURE

Native CI/CD integration.

SBOMs are generated automatically on every build — no manual triggers, no post-processing step.

sbom-pipeline.yml / run #1824
passed
triggered by push tomain · feat/auth-refactor · a3f91c2
Checkout commit a3f91c2
2s
Install dependencies
8s
O3 · Generate SBOM for this push
12s
push detected: main ← feat/auth-refactor
Resolving dependency graph for commit a3f91c2…
248 packages inventoried (14 new since last push)
Audit complete — 247/248 secure
[email protected] — CVE-2021-23337 (moderate)
New SBOM v1.824 generated · CycloneDX 1.6
Signed & published to artifact registry
Build & deploy production bundle
34s
SBOM v1.824 published automaticallyevery push · no manual step

All 21 CERT-In mandatory attributes. Automated.

CERT-In SBOM Guidelines v2.0 require 21 attributes per component. O3 generates, normalizes, and maintains every one — continuously, without manual effort.

01
Component Name

Exact identifier of the software component

02
Component Version

Specific release or build version string

03
Component Description

Purpose and function of the component

04
Component Supplier

Origin vendor, maintainer, or publisher

05
Component License

SPDX license identifier and usage rights

06
Component Origin

Source repository or registry URL

07
Component Dependencies

Direct and transitive dependency relationships

08
Vulnerabilities

Known CVEs mapped to this component version

09
Patch Status

Whether a fix is available, pending, or absent

10
Release Date

Date this version was published

11
End-of-Life Date

When vendor support formally ends

12
Criticality

Risk rating based on usage and exposure

13
Usage Restrictions

Export controls, legal constraints, or limitations

14
Checksums / Hashes

SHA-256 or equivalent integrity verification

15
Comments / Notes

Annotations for internal review or audit context

16
Author of SBOM Data

Tool or person that generated this record

17
Timestamp

When this SBOM record was created or updated

18
Executable Property

Whether the component runs as an executable

19
Archive Property

Whether the component is packaged as an archive

20
Structured Property

Format classification of the component artifact

21
Unique Identifier

PURL or CPE for unambiguous global reference

Track, prioritize, and fix with confidence.

Active Vulnerabilities (3)
db_sync: 0.4s ago
[email protected]CVE-2023-42282
CRITICAL
[email protected]CVE-2022-24999
HIGH
[email protected]CVE-2022-25883
MEDIUM
Vulnerability Tracking

Every CVE mapped to every component and version

Vulnerabilities are tracked against the exact component version in your inventory — not a generic package name. Severity, patch availability, and affected version ranges are maintained continuously.

Upgrade Simulation
qs 6.11.0 → 6.13.0
api-gatewayREVIEW
!Type signature mismatch detected
api-gateway → qs
auth-serviceNO IMPACT
auth-service → oauth-client
Breaking Chain Analysis

Know what upgrading will break before you do it

Before a developer patches a vulnerable dependency, O3 runs an upgrade impact simulation — showing which parts of the codebase are likely to break if the version is bumped.

1,000+Total CVEs in
dependency tree
all findings
340Affecting
components in use
in-use packages
87With reachable
code paths
reachability filter
12Fix these
now
critical paths
Reachability Analysis

Reachability analysis — fix what actually matters

Not every CVE in your inventory is exploitable in your environment. O3 traces whether vulnerable code paths are actually reachable at runtime — collapsing thousands of findings into a focused, prioritized fix list.

Compliance & Audit

Built for Compliance From the Ground Up

Every operational requirement defined by CERT-In — not just the data fields, but how the SBOM is generated, shared, stored, and audited.

CI / CD

Runs in every pipeline.

Automatic on every push — no manual triggers, no gaps between deployments.

Push
Build
Scan
Ship
Access Control

Role-based views.

Separate views for security teams, compliance officers, and auditors.

SSecurity
scoped
CCompliance
scoped
AAuditor
scoped
Standards

SPDX & CycloneDX.

Industry-standard formats accepted by regulators and supply-chain partners.

SPDX
CycloneDX
Export

JSON & CSV.

Audit-ready exports — ready for your auditor or regulator.

sbom.json
{
"component": "side-channel",
"severity": "critical"
}
Sharing

Public & private BOMs.

Share with regulators without exposing internal details. Granular disclosure.

PUBLIC
PRIVATE
Ingestion

Source & binary.

Catches assets that only appear after the build process.

SOURCE
.go.py.ts.java
BINARY
.jar.bin.dll
Versioning

Every SBOM, versioned.

Full history of how your security posture has changed over time — immutable and auditable.

v2.1 (Active)
now
v2.0Jul 09
v1.2Apr 28
Data Residency

Stored inside India.

Three sovereign data centres meet localisation requirements for BFSI entities.

Mumbai
ap-south-1
Chennai
ap-south-2
Deployment

Multiple deployment options.

Deploy as SaaS or on-premise depending on your organization's data policies and infrastructure requirements. Full support for air-gapped secure local environments.

SaaS CloudFully Managed
On-PremSelf-Hosted
HybridSaaS + On-Prem

Ready to Get Compliant?

Book a demo with our team and see O3 Security SBOM give you a clear picture of your compliance gaps, dependency risks, and what it takes to get audit-ready.

Book a Demo →
FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • An SBOM is a complete, machine-readable inventory of every software component, library, and dependency in an application, including transitive dependencies. It enables organizations to quickly identify vulnerable components, meet regulatory requirements like EO 14028 and EU CRA, and respond to supply chain attacks like Log4Shell within minutes rather than days.
  • Yes. US Executive Order 14028 (Improving the Nation's Cybersecurity) mandates that software vendors selling to the US federal government provide SBOMs meeting NTIA minimum elements. O3 generates NTIA-compliant SBOMs in both CycloneDX and SPDX formats, covering all required fields including supplier, component name, version, and dependency relationships.
  • O3 supports CycloneDX (1.4, 1.5, 1.6) and SPDX (2.3), the two formats recognized by NTIA, EU CRA, and DoD. SBOMs can be exported as JSON, XML, or tag-value format and integrated into existing security tooling via API.
  • Open-source tools like Syft and Trivy generate component lists but lack reachability analysis, continuous monitoring, and compliance reporting. O3 adds function-level reachability (which vulnerabilities are actually exploitable), real-time drift detection when dependencies change, and pre-built compliance reports for EO 14028, EU CRA, and DoD requirements.
  • Most teams generate their first SBOM within 10 minutes of connecting a repository. O3 integrates with GitHub, GitLab, Bitbucket, and Jenkins via native plugins, with no agent installation required for source-based scanning.