Operations

A reference list of the queries and mutations these docs cover. The API schema is larger than this. These are the operations relevant to uploading, downloading, and managing SBOMs.

The production endpoint does not support introspection, so use this page as the operation reference.

Queries

Query

Returns

Guide

organization

Your organization, its products, environments, and versions.

List Products and Versions

sbom(projectId, sbomId)

A single version: metadata, authors, suppliers, components, download, vulns.

Download

vexStatuses

Valid VEX status IDs and names.

Vulnerabilities and VEX

vexJustifications

Valid VEX justification IDs and names.

Vulnerabilities and VEX

cdxResponses

Valid VEX response IDs and names.

Vulnerabilities and VEX

Key fields on `sbom`

The sbom query resolves a version. Useful fields on it:

Field

Description

id

The version ID (sbomId).

projectVersion

The version string, for example 3.0.2.

vulnRunStatus

Vulnerability scan status. FINISHED when done.

primaryComponent { name version }

The component the SBOM describes.

authors { id name email phone }

SBOM authors.

suppliers { ... }

SBOM suppliers.

components(sbomId, first, after, search)

Paginated components in the SBOM.

vulns(sbomId, first, after)

Paginated vulnerabilities.

download(sbomId, ...)

The SBOM file. See Download.

The sbom query also accepts projectName, projectGroupName, and versionName as an alternative to projectId and sbomId.

Mutations

Mutation

Purpose

Guide

sbomUpload

Upload an SBOM file as a new version.

Upload an SBOM

authorCreate

Add an author to a version.

Edit SBOM Metadata

authorUpdate

Change an existing author.

Edit SBOM Metadata

authorDelete

Remove an author.

Edit SBOM Metadata

sbomSupplierCreate

Add a supplier to a version.

Edit SBOM Metadata

sbomSupplierUpdate

Change an existing supplier.

Edit SBOM Metadata

sbomSupplierDelete

Remove a supplier.

Edit SBOM Metadata

componentUpdate

Change a component's fields.

Edit a Component

compSupplierCreate

Add a supplier to a component.

Edit a Component

componentVexUpdate

Set VEX on one component vulnerability.

Vulnerabilities and VEX

componentVexBulkUpdate

Set VEX on many vulnerabilities at once.

Vulnerabilities and VEX

Mutation response pattern

Every mutation returns an errors list. An empty list means success. Most also return the object they changed. Always request errors and check it. See Errors.

mutation {
  authorCreate(input: { sbomId: "...", name: "..." }) {
    author { id name }
    errors
  }
}

Looking for the rest of the schema?

These docs cover SBOM lifecycle operations. The platform exposes more, for example policies, automation rules, and integrations. If you need an operation that is not listed here, contact [email protected].

PreviousErrors

Last updated 20 days ago

Queries

Key fields on sbom

Mutations

Mutation response pattern

Looking for the rest of the schema?

Key fields on `sbom`