Working with SBOMs and Tidelift

Tidelift has the ability to work with software bills of materials (SBOMs). Working with SBOMs allows for the option to import SBOMs generated from third party tools and/or those provided by vendors. Centralizing SBOMs in Tidelift provides a powerful way to understand and track your organization's software usage and risks. Tidelift supports SBOMs in both the CycloneDX and SPDX formats.

A SBOM can be uploaded into Tidelift by doing either of the following:

  • Performing an alignment in a directory containing a SBOM with the Tidelift CLI
  • Uploading a SBOM into Tidelift via the Tidelift UI

For a CycloneDX SBOM, the file must be named cyclonedx.json (JSON format) or cyclonedx.xml (XML format). For a SPDX SBOM, the file must have the file extension .spdx (example: myproject.spdx).

Generating a SBOM from docker

To generate a software bill of materials file for a container image (or for a vendor to create a SBOM file to send to your team), see

Uploading a SBOM into the Tidelift UI

Alternatively, you can upload any other CycloneDX file (cyclonedx.json, cyclonedx.xml) or SPDX file (somefile.spdx):

  1. Sign into Tidelift and click on Projects
  2. On the Projects page, select Create new project in the righthand corner
  3. After naming your project, select Next
  4. From the new dialogue window, you can upload your CycloneDX or SPDX formatted SBOM via the Upload files button


Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section