Skip to main content

Getting Started

The following steps are an overview for getting started with SBOM Manager.

  1. Set up your Tenant

    Initialize your tenant and designate your support contacts and administrators. Refer to the IQ server system requirements and installation instructions for self-hosted deployments.

    Note that SBOM Manager requires using the PostgreSQL database for self-hosted deployments.

  2. Add Organizations and Policies

    Organizations are simple ways to group applications to align with your business units and stakeholders. Use them to manage access control to your applications and SBOMs. We recommend aligning them to your organization's structure and grouping third-party SBOMs by their source vendor. You may also wish to group sets of microservices into a single nested organization for reporting.

    Policies are your rules identifying and governing your SBOM risk tolerance. The default reference policies may meet your need for baselining your applications however they can be customized depending on your application exposure and use.

  3. Onboard Applications

    Applications are the software in SBOMs and are comprised of open-source components and your custom source code. They may be individual scripts, microservices, or monolothic websites. How you define them is up to you.

    You may add applications manually or automatically from your build pipeline.

  4. Import SBOMs

    SBOMs align to specific versions of your applications. We recommend creating and importing an SBOM at the time your application is built and tracking dependency risk so long as the version is in use by your stakeholders.

  5. Enhance your SBOMs with the VEX Workflow

    While the contents of a specific SBOM do not change, the risk associated with the open-source components may as new vulnerabilities are discovered. We use the VEX workflow to track and manage which issues that have been reviewed and remediated. Use Continuous Monitoring to automatically check for discovered risks and apply feedback to your efforts in managing those risks.

  6. Share SBOMs with your stakeholders

    After updating your VEX audit, automatically share your SBOMs with your stakeholders; providing them the piece of mind that you are fully complaint with any obligations.