Skip to main content
Root maintains a current SBOM for every artifact in its registries. SBOMs are updated automatically when Root Patches are applied and are available for download at any time.

SBOM Report Types

Root generates SBOMs at two levels: Per-image SBOM: A complete package inventory for a specific container image tag. Includes all OS packages, language runtimes, and installed application dependencies found in the image - both before and after Root Patches are applied. The post-patch SBOM reflects the current patched state. Per-package SBOM: For application packages on pkg.root.io, a component-level inventory of what’s in the patched package version. Both types are updated every time a new Root Patch is applied to the artifact.

Accessing SBOMs

Via the Root platform UI:
  1. Navigate to your subscribed image or package
  2. Click the SBOM button in the artifact panel
  3. The SBOM downloads directly to your browser
Via the Root API: For container images: 
# Get SBOM download URL for an image tag
curl -H "Authorization: Bearer $ROOT_TOKEN" \
  "https://api.root.io/v1/images/tags/{rrtID}/sbom"

# The response includes a presigned URL - fetch the SBOM from it:
curl -o sbom.json "https://..."
For application packages (via Package Catalog): 
curl -H "Authorization: Bearer $ROOT_TOKEN" \
  "https://pkg.root.io/packages/ecosystems/{ecosystem}/packages/{name}/versions/{version}/details"
OCI annotations (for container images): SBOMs are attached to images as OCI annotations and can be retrieved using cosign or oras: 
# Using cosign
cosign download attestation cr.root.io/python:3.12-slim | \
  jq '.payload | @base64d | fromjson | .predicate'

# Using oras
oras discover cr.root.io/python:3.12-slim

SBOM Formats

Root generates SBOMs in two industry-standard formats:
FormatVersionUse Case
CycloneDX1.5Preferred for vulnerability analysis tooling (Grype, Dependency-Track)
SPDX2.3Preferred for compliance and legal workflows
Root-specific fields:
  • rootio:patch_applied - indicates which Root Patch was applied to a component
  • rootio:original_version - the original vulnerable version before patching
  • rootio:avr_id - the AVR pipeline run that produced this SBOM
Both formats include standard fields: component name, version, package URL (PURL), license, and known CVE references.

Continuous SBOM Updates

SBOMs are versioned - a new SBOM is generated each time Root applies a patch to an artifact. Detecting changes between versions: Each SBOM includes a timestamp field reflecting when it was generated. Compare SBOMs over time to track exactly which packages changed and when: 
# Compare two SBOMs using a diff tool
diff <(jq '.components | sort_by(.name)' sbom-before.json) \
     <(jq '.components | sort_by(.name)' sbom-after.json)
The Root platform’s Patch Explorer provides a built-in before/after comparison view for each patch event.

Integrating SBOMs with External Tools

Grype (vulnerability scanning): 
grype sbom:sbom.json
Root’s VEX statements can be passed alongside the SBOM to suppress already-patched findings: 
grype sbom:sbom.json --vex vex.json
Trivy: 
trivy sbom sbom.json
Dependency-Track: Import Root SBOMs directly into Dependency-Track for continuous monitoring:
  1. In Dependency-Track, navigate to Projects → Import BOM
  2. Select your Root SBOM file (CycloneDX format)
  3. Dependency-Track automatically correlates components against its vulnerability database
Anchore / Syft: Root SBOMs are compatible with Syft’s JSON schema and can be ingested by Anchore Enterprise for policy evaluation.