SBOM ingestion in CycloneDX or SPDX. Three native registry connectors — JFrog Xray, GitHub Dependency Graph, AWS Inspector — plus the generic ingest endpoint. Continuous CVE matching. Auto-routing to ServiceNow AVR, Jira, or PagerDuty by severity.
CycloneDX 1.4+ and SPDX 2.3+ supported. Native pull connectors for JFrog Xray, GitHub Dependency Graph, and AWS Inspector. Generic ingest endpoint for any CycloneDX-emitting toolchain.
NVD-sourced CVE database refreshed every six hours. Correlation runs against every ingested SBOM continuously — new CVE published this morning, your matched components surface this afternoon, not on next quarter's review cycle.
Critical-severity findings escalate to PagerDuty for on-call rotation. High and below land as ServiceNow Application Vulnerable Items in the AVR module, or as Jira tickets, or as Microsoft Teams Adaptive Cards — routing rules configurable per tenant.
SBOM ingestion, CVE correlation, supply-chain alerts, license policy enforcement, and the breach intelligence feed all require an Enterprise tenant.
SBOM Ingestion & Monitoring is included in Enterprise.