Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

Get SBOM

GET https://api.ap1.datadoghq.com/api/v2/security/sboms/{asset_type}https://api.ap2.datadoghq.com/api/v2/security/sboms/{asset_type}https://api.datadoghq.eu/api/v2/security/sboms/{asset_type}https://api.ddog-gov.com/api/v2/security/sboms/{asset_type}https://api.us2.ddog-gov.com/api/v2/security/sboms/{asset_type}https://api.datadoghq.com/api/v2/security/sboms/{asset_type}https://api.us3.datadoghq.com/api/v2/security/sboms/{asset_type}https://api.us5.datadoghq.com/api/v2/security/sboms/{asset_type}

Overview

Get a single SBOM related to an asset by its type and name. This endpoint requires the appsec_vm_read permission.

Arguments

Path Parameters

Name

Type

Description

asset_type [required]

string

The type of the asset for the SBOM request.

Query Strings

Name

Type

Description

filter[asset_name] [required]

string

The name of the asset for the SBOM request.

filter[repo_digest]

string

The container image repo_digest for the SBOM request. When the requested asset type is ‘Image’, this filter is mandatory.

ext:format

enum

The standard of the SBOM.
Allowed enum values: CycloneDX, SPDX

Response

OK

The expected response schema when getting an SBOM.

Expand All

Field

Type

Description

data [required]

object

A single SBOM

attributes

object

The JSON:API attributes of the SBOM.

bomFormat [required]

string

Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOM do not have a filename convention nor does JSON schema support namespaces. This value MUST be CycloneDX.

components [required]

[object]

A list of software and hardware components.

bom-ref

string

An optional identifier that can be used to reference the component elsewhere in the BOM.

licenses

[object]

The software licenses of the SBOM component.

license [required]

object

The software license of the component of the SBOM.

name [required]

string

The name of the software license of the component of the SBOM.

name [required]

string

The name of the component. This will often be a shortened, single name of the component.

properties

[object]

The custom properties of the component of the SBOM.

name [required]

string

The name of the custom property of the component of the SBOM.

value [required]

string

The value of the custom property of the component of the SBOM.

purl

string

Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification.

supplier [required]

object

The supplier of the component.

name [required]

string

Identifier of the supplier of the component.

type [required]

enum

The SBOM component type Allowed enum values: application,container,data,device,device-driver,file,firmware,framework,library,machine-learning-model

Show 2 more,operating-system,platform

version [required]

string

The component version.

dependencies [required]

[object]

List of dependencies between components of the SBOM.

dependsOn

[string]

The components that are dependencies of the ref component.

ref

string

The identifier for the related component.

metadata [required]

object

Provides additional information about a BOM.

authors

[object]

List of authors of the SBOM.

name

string

The identifier of the Author of the SBOM.

component

object

The component that the BOM describes.

name

string

The name of the component. This will often be a shortened, single name of the component.

type

string

Specifies the type of the component.

timestamp

string

The timestamp of the SBOM creation.

serialNumber [required]

string

Every BOM generated has a unique serial number, even if the contents of the BOM have not changed overt time. The serial number follows RFC-4122

specVersion [required]

enum

The version of the CycloneDX specification a BOM conforms to. Allowed enum values: 1.0,1.1,1.2,1.3,1.4,1.5

version [required]

int64

It increments when a BOM is modified. The default value is 1.

id

string

The unique ID for this SBOM (it is equivalent to the asset_name or asset_name@repo_digest (Image)

type

enum

The JSON:API type. Allowed enum values: sboms

{
  "data": {
    "attributes": {
      "bomFormat": "CycloneDX",
      "components": [
        {
          "bom-ref": "pkg:golang/google.golang.org/grpc@1.68.1",
          "licenses": [
            {
              "license": {
                "name": "MIT"
              }
            }
          ],
          "name": "google.golang.org/grpc",
          "properties": [
            {
              "name": "license_type",
              "value": "permissive"
            }
          ],
          "purl": "pkg:golang/google.golang.org/grpc@1.68.1",
          "supplier": {
            "name": "https://go.dev"
          },
          "type": "application",
          "version": "1.68.1"
        }
      ],
      "dependencies": [
        {
          "dependsOn": [
            "pkg:golang/google.golang.org/grpc@1.68.1"
          ],
          "ref": "Repository|github.com/datadog/datadog-agent"
        }
      ],
      "metadata": {
        "authors": [
          {
            "name": "Datadog, Inc."
          }
        ],
        "component": {
          "name": "github.com/datadog/datadog-agent",
          "type": "application"
        },
        "timestamp": "2025-07-08T07:24:53Z"
      },
      "serialNumber": "urn:uuid:f7119d2f-1vgh-24b5-91f0-12010db72da7",
      "specVersion": "1.5",
      "version": 1
    },
    "id": "github.com/datadog/datadog-agent",
    "type": "sboms"
  }
}

Bad request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not found: asset not found

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Path parameters
export asset_type="Repository"
# Required query arguments
export filter[asset_name]="github.com/datadog/datadog-agent"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/sboms/${asset_type}?filter[asset_name]=${filter[asset_name]}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                
"""
Get SBOM returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.asset_type import AssetType

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_sbom(
        asset_type=AssetType.REPOSITORY,
        filter_asset_name="github.com/datadog/datadog-agent",
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get SBOM returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_sbom(AssetType::REPOSITORY, "github.com/datadog/datadog-agent")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get SBOM returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSBOM(ctx, datadogV2.ASSETTYPE_REPOSITORY, "github.com/datadog/datadog-agent", *datadogV2.NewGetSBOMOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSBOM`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSBOM`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get SBOM returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.AssetType;
import com.datadog.api.client.v2.model.GetSBOMResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      GetSBOMResponse result =
          apiInstance.getSBOM(AssetType.REPOSITORY, "github.com/datadog/datadog-agent");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getSBOM");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get SBOM returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::GetSBOMOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::AssetType;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_sbom(
            AssetType::REPOSITORY,
            "github.com/datadog/datadog-agent".to_string(),
            GetSBOMOptionalParams::default(),
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Get SBOM returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetSBOMRequest = {
  assetType: "Repository",
  filterAssetName: "github.com/datadog/datadog-agent",
};

apiInstance
  .getSBOM(params)
  .then((data: v2.GetSBOMResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"