SBOM Scope & Lifecycle
An SBOM (Software Bill of Materials) is generated at the scope you care about (commonly per branch).
What “Branch-Level SBOM” Means
- Each branch can produce a different SBOM (different dependencies, versions, build files)
- SBOM ties directly to:
- SCA vulnerability findings
- License findings
- Reachability context (where supported)
SBOM Lifecycle:
- Scan runs on PR/branch
- Dependencies are discovered and normalized
- SBOM is generated and stored in your S3-compatible bucket
- SBOM can be exported and used for audits, compliance, and supply-chain reporting