Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

List assets SBOMs

copy Copy pageCopied

GET https://api.ap1.datadoghq.com/api/v2/security/sbomshttps://api.ap2.datadoghq.com/api/v2/security/sbomshttps://api.datadoghq.eu/api/v2/security/sbomshttps://api.ddog-gov.com/api/v2/security/sbomshttps://api.us2.ddog-gov.com/api/v2/security/sbomshttps://api.datadoghq.com/api/v2/security/sbomshttps://api.us3.datadoghq.com/api/v2/security/sbomshttps://api.us5.datadoghq.com/api/v2/security/sboms

Overview

Get a list of assets SBOMs for an organization.

Pagination

Please review the Pagination section for the “List Vulnerabilities” endpoint.

Filtering

Please review the Filtering section for the “List Vulnerabilities” endpoint.

Metadata

Please review the Metadata section for the “List Vulnerabilities” endpoint.

This endpoint requires the appsec_vm_read permission.

Arguments

Query Strings

Name

Type

Description

page[token]

string

Its value must come from the links section of the response of the first request. Do not manually edit it.

page[number]

integer

The page number to be retrieved. It should be equal to or greater than 1.

filter[asset_type]

enum

The type of the assets for the SBOM request.
Allowed enum values: Repository, Service, Host, HostImage, Image

filter[asset_name]

string

The name of the asset for the SBOM request.

filter[package_name]

string

The name of the component that is a dependency of an asset.

filter[package_version]

string

The version of the component that is a dependency of an asset.

filter[license_name]

string

The software license name of the component that is a dependency of an asset.

filter[license_type]

enum

The software license type of the component that is a dependency of an asset.
Allowed enum values: network_strong_copyleft, non_standard_copyleft, other_non_free, other_non_standard, permissive, public_domain, strong_copyleft, weak_copyleft

Response

OK

The expected response schema when listing assets SBOMs.

Expand All

Field

Type

Description

data [required]

[object]

List of assets SBOMs.

attributes

object

The JSON:API attributes of the SBOM.

bomFormat [required]

string

Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOM do not have a filename convention nor does JSON schema support namespaces. This value MUST be CycloneDX.

components [required]

[object]

A list of software and hardware components.

bom-ref

string

An optional identifier that can be used to reference the component elsewhere in the BOM.

licenses

[object]

The software licenses of the SBOM component.

license [required]

object

The software license of the component of the SBOM.

name [required]

string

The name of the software license of the component of the SBOM.

name [required]

string

The name of the component. This will often be a shortened, single name of the component.

properties

[object]

The custom properties of the component of the SBOM.

name [required]

string

The name of the custom property of the component of the SBOM.

value [required]

string

The value of the custom property of the component of the SBOM.

purl

string

Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification.

supplier [required]

object

The supplier of the component.

name [required]

string

Identifier of the supplier of the component.

type [required]

enum

The SBOM component type Allowed enum values: application,container,data,device,device-driver,file,firmware,framework,library,machine-learning-model

Show 2 more,operating-system,platform

version [required]

string

The component version.

dependencies [required]

[object]

List of dependencies between components of the SBOM.

dependsOn

[string]

The components that are dependencies of the ref component.

ref

string

The identifier for the related component.

metadata [required]

object

Provides additional information about a BOM.

authors

[object]

List of authors of the SBOM.

name

string

The identifier of the Author of the SBOM.

component

object

The component that the BOM describes.

name

string

The name of the component. This will often be a shortened, single name of the component.

type

string

Specifies the type of the component.

timestamp

string

The timestamp of the SBOM creation.

serialNumber [required]

string

Every BOM generated has a unique serial number, even if the contents of the BOM have not changed overt time. The serial number follows RFC-4122

specVersion [required]

enum

The version of the CycloneDX specification a BOM conforms to. Allowed enum values: 1.0,1.1,1.2,1.3,1.4,1.5

version [required]

int64

It increments when a BOM is modified. The default value is 1.

id

string

The unique ID for this SBOM (it is equivalent to the asset_name or asset_name@repo_digest (Image)

type

enum

The JSON:API type. Allowed enum values: sboms

links

object

The JSON:API links related to pagination.

first [required]

string

First page link.

last [required]

string

Last page link.

next

string

Next page link.

previous

string

Previous page link.

self [required]

string

Request link.

meta

object

The metadata related to this request.

count [required]

int64

Number of entities included in the response.

token [required]

string

The token that identifies the request.

total [required]

int64

Total number of entities across all pages.

{
  "data": [
    {
      "attributes": {
        "bomFormat": "CycloneDX",
        "components": [
          {
            "bom-ref": "pkg:golang/google.golang.org/grpc@1.68.1",
            "licenses": [
              {
                "license": {
                  "name": "MIT"
                }
              }
            ],
            "name": "google.golang.org/grpc",
            "properties": [
              {
                "name": "license_type",
                "value": "permissive"
              }
            ],
            "purl": "pkg:golang/google.golang.org/grpc@1.68.1",
            "supplier": {
              "name": "https://go.dev"
            },
            "type": "application",
            "version": "1.68.1"
          }
        ],
        "dependencies": [
          {
            "dependsOn": [
              "pkg:golang/google.golang.org/grpc@1.68.1"
            ],
            "ref": "Repository|github.com/datadog/datadog-agent"
          }
        ],
        "metadata": {
          "authors": [
            {
              "name": "Datadog, Inc."
            }
          ],
          "component": {
            "name": "github.com/datadog/datadog-agent",
            "type": "application"
          },
          "timestamp": "2025-07-08T07:24:53Z"
        },
        "serialNumber": "urn:uuid:f7119d2f-1vgh-24b5-91f0-12010db72da7",
        "specVersion": "1.5",
        "version": 1
      },
      "id": "github.com/datadog/datadog-agent",
      "type": "sboms"
    }
  ],
  "links": {
    "first": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=1\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4",
    "last": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=15\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4",
    "next": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=16\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4",
    "previous": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=14\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4",
    "self": "https://api.datadoghq.com/api/v2/security/vulnerabilities?filter%5Btool%5D=Infra"
  },
  "meta": {
    "count": 150,
    "token": "b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4",
    "total": 152431
  }
}

Bad request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not found: asset not found

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/sboms" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                
"""
List assets SBOMs returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.asset_type import AssetType

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_assets_sbo_ms(
        filter_asset_type=AssetType.SERVICE,
        filter_package_name="pandas",
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# List assets SBOMs returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
opts = {
  filter_package_name: "pandas",
  filter_asset_type: AssetType::SERVICE,
}
p api_instance.list_assets_sbo_ms(opts)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// List assets SBOMs returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListAssetsSBOMs(ctx, *datadogV2.NewListAssetsSBOMsOptionalParameters().WithFilterPackageName("pandas").WithFilterAssetType(datadogV2.ASSETTYPE_SERVICE))

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListAssetsSBOMs`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListAssetsSBOMs`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// List assets SBOMs returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.api.SecurityMonitoringApi.ListAssetsSBOMsOptionalParameters;
import com.datadog.api.client.v2.model.AssetType;
import com.datadog.api.client.v2.model.ListAssetsSBOMsResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      ListAssetsSBOMsResponse result =
          apiInstance.listAssetsSBOMs(
              new ListAssetsSBOMsOptionalParameters()
                  .filterPackageName("pandas")
                  .filterAssetType(AssetType.SERVICE));
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#listAssetsSBOMs");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// List assets SBOMs returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListAssetsSBOMsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::AssetType;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .list_assets_sbo_ms(
            ListAssetsSBOMsOptionalParams::default()
                .filter_package_name("pandas".to_string())
                .filter_asset_type(AssetType::SERVICE),
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * List assets SBOMs returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiListAssetsSBOMsRequest = {
  filterAssetType: "Service",
  filterPackageName: "pandas",
};

apiInstance
  .listAssetsSBOMs(params)
  .then((data: v2.ListAssetsSBOMsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"