--- title: Get SBOM description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Get SBOM{% #get-sbom %} Copy pageCopied {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/sboms/{asset_type} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/sboms/{asset_type} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/sboms/{asset_type} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/sboms/{asset_type} | | us2.ddog-gov.com | GET https://api.us2.ddog-gov.com/api/v2/security/sboms/{asset_type} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/sboms/{asset_type} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/sboms/{asset_type} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/sboms/{asset_type} | ### Overview Get a single SBOM related to an asset by its type and name. This endpoint requires the `appsec_vm_read` permission. ### Arguments #### Path Parameters | Name | Type | Description | | ---------------------------- | ------ | ------------------------------------------- | | asset_type [*required*] | string | The type of the asset for the SBOM request. | #### Query Strings | Name | Type | Description | | ------------------------------------ | ------ | --------------------------------------------------------------------------------------------------------------------------- | | filter[asset_name] [*required*] | string | The name of the asset for the SBOM request. | | filter[repo_digest] | string | The container image `repo_digest` for the SBOM request. When the requested asset type is 'Image', this filter is mandatory. | | ext:format | enum | The standard of the SBOM. Allowed enum values: `CycloneDX, SPDX` | ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when getting an SBOM. | Parent field | Field | Type | Description | | ------------ | ------------------------------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | A single SBOM | | data | attributes | object | The JSON:API attributes of the SBOM. | | attributes | bomFormat [*required*] | string | Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOM do not have a filename convention nor does JSON schema support namespaces. This value MUST be `CycloneDX`. | | attributes | components [*required*] | [object] | A list of software and hardware components. | | components | bom-ref | string | An optional identifier that can be used to reference the component elsewhere in the BOM. | | components | licenses | [object] | The software licenses of the SBOM component. | | licenses | license [*required*] | object | The software license of the component of the SBOM. | | license | name [*required*] | string | The name of the software license of the component of the SBOM. | | components | name [*required*] | string | The name of the component. This will often be a shortened, single name of the component. | | components | properties | [object] | The custom properties of the component of the SBOM. | | properties | name [*required*] | string | The name of the custom property of the component of the SBOM. | | properties | value [*required*] | string | The value of the custom property of the component of the SBOM. | | components | purl | string | Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the [specification](https://github.com/package-url/purl-spec). | | components | supplier [*required*] | object | The supplier of the component. | | supplier | name [*required*] | string | Identifier of the supplier of the component. | | components | type [*required*] | enum | The SBOM component type Allowed enum values: `application,container,data,device,device-driver,file,firmware,framework,library,machine-learning-model` | | components | version [*required*] | string | The component version. | | attributes | dependencies [*required*] | [object] | List of dependencies between components of the SBOM. | | dependencies | dependsOn | [string] | The components that are dependencies of the ref component. | | dependencies | ref | string | The identifier for the related component. | | attributes | metadata [*required*] | object | Provides additional information about a BOM. | | metadata | authors | [object] | List of authors of the SBOM. | | authors | name | string | The identifier of the Author of the SBOM. | | metadata | component | object | The component that the BOM describes. | | component | name | string | The name of the component. This will often be a shortened, single name of the component. | | component | type | string | Specifies the type of the component. | | metadata | timestamp | string | The timestamp of the SBOM creation. | | attributes | serialNumber [*required*] | string | Every BOM generated has a unique serial number, even if the contents of the BOM have not changed overt time. The serial number follows [RFC-4122](https://datatracker.ietf.org/doc/html/rfc4122) | | attributes | specVersion [*required*] | enum | The version of the CycloneDX specification a BOM conforms to. Allowed enum values: `1.0,1.1,1.2,1.3,1.4,1.5` | | attributes | version [*required*] | int64 | It increments when a BOM is modified. The default value is 1. | | data | id | string | The unique ID for this SBOM (it is equivalent to the `asset_name` or `asset_name@repo_digest` (Image) | | data | type | enum | The JSON:API type. Allowed enum values: `sboms` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "bomFormat": "CycloneDX", "components": [ { "bom-ref": "pkg:golang/google.golang.org/grpc@1.68.1", "licenses": [ { "license": { "name": "MIT" } } ], "name": "google.golang.org/grpc", "properties": [ { "name": "license_type", "value": "permissive" } ], "purl": "pkg:golang/google.golang.org/grpc@1.68.1", "supplier": { "name": "https://go.dev" }, "type": "application", "version": "1.68.1" } ], "dependencies": [ { "dependsOn": [ "pkg:golang/google.golang.org/grpc@1.68.1" ], "ref": "Repository|github.com/datadog/datadog-agent" } ], "metadata": { "authors": [ { "name": "Datadog, Inc." } ], "component": { "name": "github.com/datadog/datadog-agent", "type": "application" }, "timestamp": "2025-07-08T07:24:53Z" }, "serialNumber": "urn:uuid:f7119d2f-1vgh-24b5-91f0-12010db72da7", "specVersion": "1.5", "version": 1 }, "id": "github.com/datadog/datadog-agent", "type": "sboms" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad request: The server cannot process the request due to invalid syntax in the request. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden: Access denied {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not found: asset not found {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parameters export asset_type="Repository" \# Required query arguments export filter[asset_name]="github.com/datadog/datadog-agent" \# Curl command curl -X GET "https://api.datadoghq.com/api/v2/security/sboms/${asset_type}?filter[asset_name]=${filter[asset_name]}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get SBOM returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.asset_type import AssetType configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_sbom( asset_type=AssetType.REPOSITORY, filter_asset_name="github.com/datadog/datadog-agent", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get SBOM returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_sbom(AssetType::REPOSITORY, "github.com/datadog/datadog-agent") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get SBOM returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSBOM(ctx, datadogV2.ASSETTYPE_REPOSITORY, "github.com/datadog/datadog-agent", *datadogV2.NewGetSBOMOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSBOM`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSBOM`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get SBOM returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.AssetType; import com.datadog.api.client.v2.model.GetSBOMResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { GetSBOMResponse result = apiInstance.getSBOM(AssetType.REPOSITORY, "github.com/datadog/datadog-agent"); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getSBOM"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get SBOM returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::GetSBOMOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::AssetType; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_sbom( AssetType::REPOSITORY, "github.com/datadog/datadog-agent".to_string(), GetSBOMOptionalParams::default(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get SBOM returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetSBOMRequest = { assetType: "Repository", filterAssetName: "github.com/datadog/datadog-agent", }; apiInstance .getSBOM(params) .then((data: v2.GetSBOMResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %}