> ## Documentation Index > Fetch the complete documentation index at: https://docs.root.io/llms.txt > Use this file to discover all available pages before exploring further. # SBOM Reports > Accessing and exporting SBOMs for every image and package managed by Root. Root maintains a current SBOM for every artifact in its registries. SBOMs are updated automatically when Root Patches are applied and are available for download at any time. ## SBOM Report Types Root generates SBOMs at two levels: **Per-image SBOM:** A complete package inventory for a specific container image tag. Includes all OS packages, language runtimes, and installed application dependencies found in the image - both before and after Root Patches are applied. The post-patch SBOM reflects the current patched state. **Per-package SBOM:** For application packages on `pkg.root.io`, a component-level inventory of what's in the patched package version. Both types are updated every time a new Root Patch is applied to the artifact. ## Accessing SBOMs **Via the Root platform UI:** 1. Navigate to your subscribed image or package 2. Click the **SBOM** button in the artifact panel 3. The SBOM downloads directly to your browser **Via the Root API:** For container images: ```bash theme={null} # Get SBOM download URL for an image tag curl -H "Authorization: Bearer $ROOT_TOKEN" \ "https://api.root.io/v1/images/tags/{rrtID}/sbom" # The response includes a presigned URL - fetch the SBOM from it: curl -o sbom.json "https://..." ``` For application packages (via Package Catalog): ```bash theme={null} curl -H "Authorization: Bearer $ROOT_TOKEN" \ "https://pkg.root.io/packages/ecosystems/{ecosystem}/packages/{name}/versions/{version}/details" ``` **OCI annotations (for container images):** SBOMs are attached to images as OCI annotations and can be retrieved using `cosign` or `oras`: ```bash theme={null} # Using cosign cosign download attestation cr.root.io/python:3.12-slim | \ jq '.payload | @base64d | fromjson | .predicate' # Using oras oras discover cr.root.io/python:3.12-slim ``` ## SBOM Formats Root generates SBOMs in two industry-standard formats: | Format | Version | Use Case | | ------------- | ------- | ---------------------------------------------------------------------- | | **CycloneDX** | 1.5 | Preferred for vulnerability analysis tooling (Grype, Dependency-Track) | | **SPDX** | 2.3 | Preferred for compliance and legal workflows | **Root-specific fields:** * `rootio:patch_applied` - indicates which Root Patch was applied to a component * `rootio:original_version` - the original vulnerable version before patching * `rootio:avr_id` - the AVR pipeline run that produced this SBOM Both formats include standard fields: component name, version, package URL (PURL), license, and known CVE references. ## Continuous SBOM Updates SBOMs are versioned - a new SBOM is generated each time Root applies a patch to an artifact. **Detecting changes between versions:** Each SBOM includes a `timestamp` field reflecting when it was generated. Compare SBOMs over time to track exactly which packages changed and when: ```bash theme={null} # Compare two SBOMs using a diff tool diff <(jq '.components | sort_by(.name)' sbom-before.json) \ <(jq '.components | sort_by(.name)' sbom-after.json) ``` The Root platform's Patch Explorer provides a built-in before/after comparison view for each patch event. ## Integrating SBOMs with External Tools **Grype (vulnerability scanning):** ```bash theme={null} grype sbom:sbom.json ``` Root's VEX statements can be passed alongside the SBOM to suppress already-patched findings: ```bash theme={null} grype sbom:sbom.json --vex vex.json ``` **Trivy:** ```bash theme={null} trivy sbom sbom.json ``` **Dependency-Track:** Import Root SBOMs directly into Dependency-Track for continuous monitoring: 1. In Dependency-Track, navigate to **Projects → Import BOM** 2. Select your Root SBOM file (CycloneDX format) 3. Dependency-Track automatically correlates components against its vulnerability database **Anchore / Syft:** Root SBOMs are compatible with Syft's JSON schema and can be ingested by Anchore Enterprise for policy evaluation.