Gain complete visibility into your software supply chain. Blacklock’s SBOM scanner identifies vulnerable components, outdated dependencies, and licensing risks across your codebase, helping organisations meet evolving regulatory expectations and reduce third-party software risk through a single cloud-native platform.
Connect your source code repository to Blacklock in a few clicks. Once added to your project list, you can trigger a scan immediately using the Scan Now button. You’ll receive an email confirmation when the scan starts and another when the results are ready. All major code repositories are supported natively, including GitHub, GitLab, Azure DevOps, and Bitbucket.
See at a glance which libraries and packages are outdated, unsupported, infected, or exposed to known exploits. Each component is categorised (frameworks, development tools, database connectors, frontend libraries) so you can prioritise what matters. Licence details are surfaced alongside version data, making it easy to spot restrictions or compliance obligations before they become problems.
Every component in your SBOM is checked against public vulnerability databases, including the National Vulnerability Database (NVD). Details include affected package, severity level, CVSS score, a description of the issue, and reference links for further investigation. This gives your developers the context they need to resolve issues quickly.
Generate audit-ready PDF reports covering all dependencies, known vulnerabilities, fixed versions, and license information. These reports are structured for multiple audiences: hand them to developers for remediation priorities, to auditors for compliance evidence, or to leadership for supply chain risk visibility. Useful for MAS TRM audits, Cyber Trust mark assessments, and ISO 27001 reviews alike.
Export your SBOM in industry-standard SPDX or CycloneDX JSON formats. These files are both human-readable and machine-parseable, making them interoperable with downstream security tooling and automated compliance workflows. Whether you need to share inventory data with a regulator, an enterprise client, or an internal governance team, standard-format exports keep the process frictionless.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
An SBOM (Software Bill of Materials) is a complete inventory of all software components, libraries, and open-source or third-party dependencies in your application. It matters because it gives you the visibility to identify outdated software and known vulnerabilities, verify license compliance, and manage risk across your software supply chain. Think of it as a detailed ingredient list for your software.
MAS TRM Guidelines require financial institutions to assess and continuously monitor the security posture of third-party vendors and software. An SBOM scanner provides the component-level visibility needed to identify vulnerable or outdated dependencies in your software supply chain, demonstrate ongoing risk management to auditors, and maintain evidence of software integrity across your technology stack.
While Singapore does not currently mandate SBOM production in the way the US Executive Order 14028 does, the regulatory direction is clear. The amended Cybersecurity Act extends oversight to third-party and cloud systems. MAS TRM emphasises continuous third-party risk management. The Cyber Trust mark increasingly expects demonstrable software supply chain hygiene. Adopting SBOM scanning ensures your organisation remains in-step with these tightening regulatory expectations.
The Cyber Trust mark assesses an organisation’s cybersecurity practices relative to its risk profile, including how it manages third-party and software supply chain risks. Maintaining a current, accurate software inventory with identified vulnerabilities demonstrates the kind of proactive risk management the certification framework expects. Blacklock SBOM scanning provides this inventory on demand, with audit-ready reports.
SBOM scanning identifies outdated libraries, components with known CVEs, and packages with license restrictions or compliance obligations, giving you visibility into risks across your software dependencies. This visibility is particularly valuable for SaaS companies, FinTechs, and organisations in regulated sectors where a single vulnerable dependency could compromise customer data or service availability.
Key frameworks include: US Executive Order 14028 (SBOM required for software sold to US federal agencies), US FDA Section 524B (SBOM for connected medical devices), PCI DSS v4.0 (inventory of custom and third-party components), EU Cyber Resilience Act (SBOM in technical documentation), and ACSC Guidelines for Software Development (recommends SBOM provision to customers). In Singapore, while there is no direct SBOM mandate, MAS TRM’s third-party risk requirements and the Cyber Trust mark’s risk-based assessment both align with SBOM as a supporting practice.
Development teams, product owners, security practitioners, DevOps engineers, procurement teams, and compliance officers. Anyone responsible for knowing what’s inside your software and whether those components are secure, licensed appropriately, and up to date.
Blacklock supports native GitHub integration, providing secure access to your code repository. You control which repositories are connected and can update or remove access at any time.
The scanner analyses your codebase’s libraries and package versions against public vulnerability databases, including the National Vulnerability Database (NVD). It surfaces CVE IDs, severity levels, and CVSS scores for each affected component, along with actionable context to help your team prioritise remediation.
For every component in your SBOM, Blacklock shows both the version you’re currently running and the latest available version. This makes it straightforward to identify upgrade priorities and ensure your production software uses the most current, secure versions of its dependencies.
We recommend scanning after every significant code change or dependency update, and scheduling regular scans even during low-activity development periods. Continuous scanning keeps you ahead of newly disclosed vulnerabilities and ensures your SBOM remains an accurate, current record of your software composition.
SBOM scanning analyses your software’s components, libraries, and third-party dependencies before deployment, identifying risks linked to specific packages. Vulnerability scanning examines deployed systems in a live environment, detecting misconfigurations, open ports, and exploitable weaknesses. The two are complementary: SBOM scanning secures your code supply chain, while vulnerability scanning secures your running infrastructure.
Most small to mid-sized projects are completed within a few minutes. Larger codebases with extensive dependency trees may take longer, but the process is designed to minimise disruption to your development workflow.
SBOM scanning is priced per repository on a monthly or annual subscription. You can purchase a plan directly from your Blacklock account and scale up by adding repositories as your needs grow.