Ingest SBOMs from JFrog Xray, GitHub Dependency Graph, AWS ECR, or direct upload. CVE matching runs continuously; new vulnerabilities create supply chain risk entries with CVSS scoring and fix-version recommendations.
JFrog Xray, GitHub Dependency Graph, AWS ECR, plus CycloneDX and SPDX format direct upload.
New CVE publications trigger fresh matches against ingested SBOMs. Critical / High matches escalate within hours.
Sub-dependencies surface as fourth parties in the supply chain map. Risk tier inherits from the vendor relationship.
Each CVE match includes affected component version range and recommended fix versions where available.
Verisq's SBOM & Supply Chain is part of the Trust Operations Platform — one data model, one audit trail, one auditor seat.