How does it work?


  • Identify components beyond what is explicitly declared by package managers or manifest files, such as Maven and pom.xml, with multifactor open source discovery
  • Identify and track third-party and proprietary components
  • Export SBOMs in SPDX or CycloneDX file structures with NTIA minimum SBOM elements populated
  • Scan at multiple points in the application pipeline to build the most accurate SBOMs with the least amount of friction
  • Produces SBOMs for applications without the need for source code
  • Match identified components to related areas of risk
  • Continuously monitor identified components for newly surfaced security and operation risk

                              Leading the way


Request a demo

Thank you for your interest. Expect a follow up email shortly.

In the meantime, see why Black Duck is a Leader in Application Security Testing.