Supply Chain Security

Know every
component.

Automatic Software Bill of Materials from every scan. Know exactly what's in your software — every dependency, every license, every risk.

Regulatory compliance requires it. Supply chain attacks demand it. codelake generates SBOMs automatically, in standard formats, ready for submission.

Start free — no credit card See all features
codelake sbom

$ codelake sbom --format cyclonedx

 

▸ Generating SBOM for acme-api...

  Scanning 4 package managers

  Resolving transitive dependencies...

 

Components: 342 total

  Direct: 47 · Transitive: 295

 

Vulnerabilities: 12 CVEs detected

  Critical: 1 · High: 3 · Medium: 5 · Low: 3

Licenses: 2 copyleft detected

  MIT: 287 · Apache-2.0: 41 · GPL-3.0: 2

 

✓ SBOM exported · sbom-acme-api-v3.2.1.json

Export Formats

Industry-standard formats. Ready for submission.

Export your SBOM in the formats your customers, regulators, and partners require. Full compliance with NTIA minimum elements.

description

CycloneDX

OWASP Standard · JSON / XML

The lightweight SBOM standard designed for security use cases. Includes vulnerability data, license info, and component provenance. Supported in versions 1.4, 1.5, and 1.6.

  • Vulnerability cross-references (VEX)
  • License expressions
  • Dependency graph included
  • Machine-readable for automation
article

SPDX

Linux Foundation · JSON / RDF / Tag-Value

The ISO/IEC 5962:2021 standard for software composition. Recognized by governments and enterprises worldwide. Full support for SPDX 2.3 and 3.0.

  • ISO-standardized format
  • SPDX license identifiers
  • Package verification codes
  • Government procurement compatible

Regulatory Compliance

Meet the regulations that require SBOMs.

SBOM requirements are no longer optional. From the EU Cyber Resilience Act to the US Executive Order on cybersecurity, software transparency is mandated.

language

EU Cyber Resilience Act (CRA)

The EU CRA requires manufacturers of products with digital elements to provide SBOMs and demonstrate vulnerability handling processes. Non-compliance carries fines up to 15M EUR or 2.5% of global turnover.

  • Machine-readable SBOM in CycloneDX or SPDX
  • Vulnerability disclosure and handling evidence
  • Security update documentation
  • Component provenance tracking
flag

US Executive Order 14028

EO 14028 requires SBOM provision for all software sold to the US federal government. NTIA minimum elements must be included: supplier, component name, version, unique identifiers, dependency relationships, and timestamps.

  • NTIA minimum elements compliance
  • Unique identifiers (CPE, PURL) for every component
  • Dependency relationship mapping
  • Timestamp and authorship metadata

Dependency Graph

Visualize your entire dependency tree.

See every direct and transitive dependency in an interactive graph. Spot vulnerable paths, license risks, unmaintained packages, and dependency confusion attacks at a glance.

  • account_tree

    Interactive Dependency Tree

    Expand and collapse dependency paths. Click any node to see version, license, CVEs, and maintenance status.

  • bug_report

    Vulnerability Highlighting

    Vulnerable components are highlighted red with CVE details. See exactly which transitive path introduces the risk.

  • warning

    Transitive Dependency Risk

    Your direct dependencies are only half the story. codelake traces the full transitive tree to find risks buried 4-5 levels deep.

  • content_copy

    Dependency Confusion Detection

    Detect packages that could be subject to dependency confusion or typosquatting attacks. Verify package source registries.

account_tree Dependency Graph 342 components
acme-api@3.2.1
express@4.18.2 MIT
body-parser@1.20.1
qs@6.5.2 CVE-2022-24999
jsonwebtoken@9.0.0 MIT
lodash@4.17.20 CVE-2021-23337
pg-promise@11.5.0 GPL-3.0
+ 337 more components...

License Compliance

Know every license in your stack.

License violations can be as costly as security breaches. codelake classifies every dependency license, flags copyleft risks, and alerts on incompatible combinations.

check_circle

Permissive

328

MIT, Apache-2.0, BSD, ISC

warning

Weak Copyleft

9

LGPL, MPL, EPL

error

Strong Copyleft

2

GPL-3.0, AGPL-3.0

help

Unknown

3

No license file detected

policy

License Policy Engine

Define which license types are allowed in your projects. Block builds that introduce copyleft dependencies, require approval for unknown licenses, or auto-approve permissive ones. Enforce per-project or organization-wide.

Know exactly what's in your software.

codelake generates SBOMs automatically from every scan. CycloneDX, SPDX, dependency graphs, license compliance — everything you need for regulatory requirements and supply chain security.

Start free — no credit card View pricing