Upload and analyze an SBOM file
When you upload an SBOM file to the Threat detection page, DigiCert will:
Analyze the information from a previous threat detection scan
Display findings in DigiCert ONE
After the analysis is complete, critical data will display in the Threat detection details page. This information will help you to better understand your organization’s security posture, including the criticality of any detected vulnerability.
Before you begin
To upload an SBOM file and initiate a threat detection analysis, you must:
Ensure the file meets the following requirements:
Supported file format: json
Support file size: Up to 50MB
Assign the SBOM to a project
A project allows you to organize and group related software scans, such as different versions of the same software.
This step will be included in the Upload an SBOM file and initiate a threat detection analysis section.
To learn more, see Projects.
Assign the file to a release (optional)
A release ensures that SBOM data is managed based on the security policies and rules configured within the release window.
This step will be included in the Upload an SBOM file and initiate a threat detection analysis section.
To learn more, see Releases.
Upload an SBOM file and initiate a threat detection analysis
Sign in to DigiCert ONE.
Navigate to the Manager menu (top right) > Software Trust.
In Software Trust, go to Threat detection.
Select Upload SMOB.
Drag and drop a file or upload a file using the windows explorer.
You can upload multiple files.
When you upload a file, the Your files table will appear and display newly added files.
Click Save and continue to manage and configure these files.
Complete the missing fields:
For Scan alias, enter a descriptive name for the scan.
For Version, enter your own versioning system.
Select an existing project or select Don't have a project? to create a new project. To learn how to create a project, see Create a project.
Every uploaded SBOM file must be assigned to a project; however, it is optional to also assign a release.
(Optional) Select an existing release or select Don't have a release? to create a new release. To learn how to create a release, see Create release.
When you select a project, the list of releases will filter to only display releases that are associated with the selected project and contain a detect or detect and sign purpose.
Select Save and continue.
DigiCert ONE will begin to analyze your uploaded file.
To track the analysis, in the Threat detection listing page, review the Status column. A Fail or Pass value for Status indicates that the analysis is complete, and you can view the scan details.
Click Close.
To track the analysis, in the Threat detection listing page, review the Status column. A Fail or Pass value for Status indicates that the analysis is complete, and you can view the scan details.
To view and understand scan results, see Review scan results.