--- title: List assets SBOMs description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # List assets SBOMs{% #list-assets-sboms %} Copy pageCopied {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/sboms | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/sboms | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/sboms | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/sboms | | us2.ddog-gov.com | GET https://api.us2.ddog-gov.com/api/v2/security/sboms | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/sboms | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/sboms | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/sboms | ### Overview Get a list of assets SBOMs for an organization. ### Pagination{% #pagination %} Please review the Pagination section for the "List Vulnerabilities" endpoint. ### Filtering{% #filtering %} Please review the Filtering section for the "List Vulnerabilities" endpoint. ### Metadata{% #metadata %} Please review the Metadata section for the "List Vulnerabilities" endpoint. This endpoint requires the `appsec_vm_read` permission. ### Arguments #### Query Strings | Name | Type | Description | | ----------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | page[token] | string | Its value must come from the `links` section of the response of the first request. Do not manually edit it. | | page[number] | integer | The page number to be retrieved. It should be equal to or greater than 1. | | filter[asset_type] | enum | The type of the assets for the SBOM request. Allowed enum values: `Repository, Service, Host, HostImage, Image` | | filter[asset_name] | string | The name of the asset for the SBOM request. | | filter[package_name] | string | The name of the component that is a dependency of an asset. | | filter[package_version] | string | The version of the component that is a dependency of an asset. | | filter[license_name] | string | The software license name of the component that is a dependency of an asset. | | filter[license_type] | enum | The software license type of the component that is a dependency of an asset. Allowed enum values: `network_strong_copyleft, non_standard_copyleft, other_non_free, other_non_standard, permissive, public_domain, strong_copyleft, weak_copyleft` | ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when listing assets SBOMs. | Parent field | Field | Type | Description | | ------------ | ------------------------------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | List of assets SBOMs. | | data | attributes | object | The JSON:API attributes of the SBOM. | | attributes | bomFormat [*required*] | string | Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOM do not have a filename convention nor does JSON schema support namespaces. This value MUST be `CycloneDX`. | | attributes | components [*required*] | [object] | A list of software and hardware components. | | components | bom-ref | string | An optional identifier that can be used to reference the component elsewhere in the BOM. | | components | licenses | [object] | The software licenses of the SBOM component. | | licenses | license [*required*] | object | The software license of the component of the SBOM. | | license | name [*required*] | string | The name of the software license of the component of the SBOM. | | components | name [*required*] | string | The name of the component. This will often be a shortened, single name of the component. | | components | properties | [object] | The custom properties of the component of the SBOM. | | properties | name [*required*] | string | The name of the custom property of the component of the SBOM. | | properties | value [*required*] | string | The value of the custom property of the component of the SBOM. | | components | purl | string | Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the [specification](https://github.com/package-url/purl-spec). | | components | supplier [*required*] | object | The supplier of the component. | | supplier | name [*required*] | string | Identifier of the supplier of the component. | | components | type [*required*] | enum | The SBOM component type Allowed enum values: `application,container,data,device,device-driver,file,firmware,framework,library,machine-learning-model` | | components | version [*required*] | string | The component version. | | attributes | dependencies [*required*] | [object] | List of dependencies between components of the SBOM. | | dependencies | dependsOn | [string] | The components that are dependencies of the ref component. | | dependencies | ref | string | The identifier for the related component. | | attributes | metadata [*required*] | object | Provides additional information about a BOM. | | metadata | authors | [object] | List of authors of the SBOM. | | authors | name | string | The identifier of the Author of the SBOM. | | metadata | component | object | The component that the BOM describes. | | component | name | string | The name of the component. This will often be a shortened, single name of the component. | | component | type | string | Specifies the type of the component. | | metadata | timestamp | string | The timestamp of the SBOM creation. | | attributes | serialNumber [*required*] | string | Every BOM generated has a unique serial number, even if the contents of the BOM have not changed overt time. The serial number follows [RFC-4122](https://datatracker.ietf.org/doc/html/rfc4122) | | attributes | specVersion [*required*] | enum | The version of the CycloneDX specification a BOM conforms to. Allowed enum values: `1.0,1.1,1.2,1.3,1.4,1.5` | | attributes | version [*required*] | int64 | It increments when a BOM is modified. The default value is 1. | | data | id | string | The unique ID for this SBOM (it is equivalent to the `asset_name` or `asset_name@repo_digest` (Image) | | data | type | enum | The JSON:API type. Allowed enum values: `sboms` | | | links | object | The JSON:API links related to pagination. | | links | first [*required*] | string | First page link. | | links | last [*required*] | string | Last page link. | | links | next | string | Next page link. | | links | previous | string | Previous page link. | | links | self [*required*] | string | Request link. | | | meta | object | The metadata related to this request. | | meta | count [*required*] | int64 | Number of entities included in the response. | | meta | token [*required*] | string | The token that identifies the request. | | meta | total [*required*] | int64 | Total number of entities across all pages. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "bomFormat": "CycloneDX", "components": [ { "bom-ref": "pkg:golang/google.golang.org/grpc@1.68.1", "licenses": [ { "license": { "name": "MIT" } } ], "name": "google.golang.org/grpc", "properties": [ { "name": "license_type", "value": "permissive" } ], "purl": "pkg:golang/google.golang.org/grpc@1.68.1", "supplier": { "name": "https://go.dev" }, "type": "application", "version": "1.68.1" } ], "dependencies": [ { "dependsOn": [ "pkg:golang/google.golang.org/grpc@1.68.1" ], "ref": "Repository|github.com/datadog/datadog-agent" } ], "metadata": { "authors": [ { "name": "Datadog, Inc." } ], "component": { "name": "github.com/datadog/datadog-agent", "type": "application" }, "timestamp": "2025-07-08T07:24:53Z" }, "serialNumber": "urn:uuid:f7119d2f-1vgh-24b5-91f0-12010db72da7", "specVersion": "1.5", "version": 1 }, "id": "github.com/datadog/datadog-agent", "type": "sboms" } ], "links": { "first": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=1\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "last": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=15\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "next": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=16\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "previous": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=14\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "self": "https://api.datadoghq.com/api/v2/security/vulnerabilities?filter%5Btool%5D=Infra" }, "meta": { "count": 150, "token": "b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "total": 152431 } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad request: The server cannot process the request due to invalid syntax in the request. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden: Access denied {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not found: asset not found {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl command curl -X GET "https://api.datadoghq.com/api/v2/security/sboms" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List assets SBOMs returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.asset_type import AssetType configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_assets_sbo_ms( filter_asset_type=AssetType.SERVICE, filter_package_name="pandas", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List assets SBOMs returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new opts = { filter_package_name: "pandas", filter_asset_type: AssetType::SERVICE, } p api_instance.list_assets_sbo_ms(opts) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List assets SBOMs returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListAssetsSBOMs(ctx, *datadogV2.NewListAssetsSBOMsOptionalParameters().WithFilterPackageName("pandas").WithFilterAssetType(datadogV2.ASSETTYPE_SERVICE)) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListAssetsSBOMs`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListAssetsSBOMs`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List assets SBOMs returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.api.SecurityMonitoringApi.ListAssetsSBOMsOptionalParameters; import com.datadog.api.client.v2.model.AssetType; import com.datadog.api.client.v2.model.ListAssetsSBOMsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { ListAssetsSBOMsResponse result = apiInstance.listAssetsSBOMs( new ListAssetsSBOMsOptionalParameters() .filterPackageName("pandas") .filterAssetType(AssetType.SERVICE)); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#listAssetsSBOMs"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List assets SBOMs returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListAssetsSBOMsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::AssetType; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_assets_sbo_ms( ListAssetsSBOMsOptionalParams::default() .filter_package_name("pandas".to_string()) .filter_asset_type(AssetType::SERVICE), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List assets SBOMs returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiListAssetsSBOMsRequest = { filterAssetType: "Service", filterPackageName: "pandas", }; apiInstance .listAssetsSBOMs(params) .then((data: v2.ListAssetsSBOMsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %}