> For the complete documentation index, see [llms.txt](https://docs.arnica.io/arnica-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.arnica.io/arnica-documentation/inventory/software-bill-of-materials-sbom.md).
# Software Bill of Materials (SBOM)
## Comprehensive SBOM with full coverage
Arnica's SBOM page provides a comprehensive list of all packages used within your source code. The SBOM inventory is filterable, searchable, and exportable in enriched CycloneDX format. It covers all repositories integrated with Arnica, updated weekly on free plans and daily on Team and above.
Arnica's SBOM shows top-level package and CVE counts for each repository. Expanding a repository provides file and package-level detail for each package, including enriched context such as the package's license type, OpenSSF Scorecard rating, number of stars, and reputation trend.
## Filtering and searching the SBOM
The SBOM page includes a set of filters that let you quickly narrow results, from broad SCM-level filtering to pinpointing exposure from active supply chain attacks.
The full filter panel on the SBOM page
| Filter | What it does |
| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Search** | Search by package name, version, or `package@version`. Supports wildcards, e.g. `log4j-core@2.10.x` to match all 2.10.x releases. |
| **Match Multiple Packages** | When enabled, enter a comma- or space-separated list of packages to match any of them simultaneously. |
| **Zero Day** | Filter by an active supply chain attack campaign. When a supply chain attack breaks, use this to see exactly which repositories and teams are exposed in minutes, not days. Campaigns show a **NEW** badge when published within the last 7 days, along with the affected libraries, associated CVEs, and reference links. |
| **Detected In** | Filter by where the package was detected: **Source** (source code repositories), **Container** (container images), or **API** (uploaded SBOM artifacts). |
| **Asset** | Drill down by **SCM Type**, **Organization**, **Project**, **Repository**, and **Branch**. Each level filters the options in the next, so selecting an org narrows the repo list accordingly. |
{% hint style="info" %}
Filters are applied independently from the search bar and produce a combined result. For example, you can filter by Organization and search for a package name at the same time.
{% endhint %}
### Group by packages
Toggle **Group by packages** to switch from a repository-centric view to a package-centric view. In this mode, the table shows each unique package across all repositories, along with its license type, useful for broad license auditing or spotting a vulnerable package across many repos at once.
## Searching within the SBOM report
You can search for assets, packages, or licenses using the search bar. Results are limited to entries that include the search string. For example, searching for `LGPL` will show only packages using the LGPL license type. When expanding a repository's dependency list, only packages matching the search are shown.
## Export formats
Arnica's SBOM report is exportable in JSON and CSV formats. JSON exports conform to CycloneDX and include enriched vulnerability and package context displayed in the UI.
To export SBOM artifacts, select the repositories you want to include and click **Download SBOMs For Selected** in the upper-right corner.
## License report exports
License-focused reporting supports additional export formats, including PDF and HTML views in addition to CSV where available.
## API availability
Arnica's API supports reading findings and risk data, but full SBOM export artifacts are currently generated from the UI export workflow.
## Troubleshooting
### SBOM data appears stale
If package inventory is not refreshing:
1. Confirm recent pushes reached the monitored branch.
2. Wait for the next scheduled processing cycle.
3. Verify integration health (for example, integration token validity and repository access).
### Dependency files in subfolders are not reflected
Arnica scans manifests recursively. If expected package files are missing from SBOM:
* Confirm manifests and lock files are committed.
* Confirm paths are not excluded by repository or policy configuration.
* Re-check after the next processing cycle following a push.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.arnica.io/arnica-documentation/inventory/software-bill-of-materials-sbom.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.