Skip to main content

SBOMs, vulnerabilities, license compliance, and risk reduction

These areas are available from the main navigation for your organization and, where applicable, per project and branch. Generic projects use uploaded SBOM data instead of a source control branch.

SBOMs

  • Organization SBOMs — List and open SBOM reports across the org.
  • Project SBOMs — When you are inside a GitHub or GitLab project, SBOM views are scoped to the selected ref. Generic project SBOM views use the project's uploaded SBOMs.
  • SBOM report summary — Report pages include repository/source context, component and language details, report status, roll-up counts for vulnerabilities/components, and actions for copying or downloading report data.
  • Component versions — When a component version is a long sha256: digest, the summary card shortens the displayed hash for readability. The underlying value is unchanged; hover over the shortened value to view the full digest.
  • Manual SBOM uploads — You can upload an SBOM JSON file from the Platform when you need to review SBOM data that was not produced by a connected repository workflow. At organization scope, choose an existing Generic project or create one during upload. Manual upload requests support SBOM JSON files up to 100 MB.

In the SBOM report summary card, the Source badge can link directly to the upstream repository context:

  • When repository metadata is available, the badge opens the repository URL.
  • When both repository URL and git ref are available for GitHub/GitLab projects, the badge opens that specific branch/ref in the provider UI.
  • For Generic projects, the badge uses the project URL when one is configured.
  • If this metadata is unavailable, the badge remains informational text only.

In SBOM-driven tables (for example vulnerabilities and license compliance):

  • For GitHub/GitLab source repos, File path links to the blob at the selected ref.
  • For Generic projects, File path is shown as text because there is no connected repository/ref for a blob link.
  • For Docker image SBOMs, File path displays the image reference directly (not a repo blob link).
  • This behavior applies in both organization-level and project-level table views.

Browser upload size limit

When uploading files directly in the Platform, the browser upload request can be up to 100 MB:

  • Manual SBOM uploads from the SBOMs page or a Generic project page support SBOM JSON files up to 100 MB.
  • Generic project uploads from an organization or project page use the same 100 MB SBOM JSON limit.
  • Risk reduction uploads submit the binary and SBOM together; keep the combined request under 100 MB.

For larger SBOMs or build outputs, use the CI/tooling flows described in Identify.

For how SBOMs are produced in CI (packages, Yocto, offline flows), see Identify.

Vulnerabilities

Organization- and project-level views show vulnerability information derived from your SBOMs and configuration. Use git ref context for GitHub and GitLab projects when you need results for a specific line of development.

The organization-level Vulnerabilities page is designed for cross-project triage:

  • Summary cards show counts for Known Exploited Vulnerabilities and Critical and High Vulnerabilities, including how many findings RunSafe mitigates and how many have fixes available.
  • Top priority projects highlights connected repositories with the highest count of distinct critical, high, or known-exploited vulnerabilities.
  • The vulnerabilities table deduplicates findings by SBOM report and vulnerability ID, sorts known-exploited and high-scoring vulnerabilities first, and can be filtered or sorted from the table controls.
  • The Source value uses the connected repository name when available; otherwise it falls back to the SBOM file name or a manual-upload label.

Open a project when you need to move from organization-wide triage to the SBOMs, vulnerabilities, and license compliance for one project. GitHub and GitLab projects can be viewed by git ref; Generic projects summarize the latest uploaded SBOM data.

Vulnerability alert emails

Organization admins can configure Settings → Vulnerability Alerts to send organization vulnerability summary emails to selected organization users. These summaries are intended for new vulnerabilities found by automated SBOM vulnerability scans and link recipients back to the relevant Platform vulnerability and SBOM report views.

Protect overview

The organization Protect page summarizes projects with and without RunSafe Protect enabled. Use it to compare:

  • Total projects with and without Protect.
  • Vulnerabilities that Protect mitigates or could mitigate.
  • Average and highest memory-safety coverage scores when score data is available.

The overview is scoped to the latest complete scan on each connected project's default branch. Older scans, non-default branches, and manually uploaded SBOMs are excluded from these organization-level Protect metrics.

The page splits projects into Without Protect and With Protect tables. For projects in Without Protect, vulnerability counts represent memory-safety CWE findings that Protect could mitigate if enabled. For projects in With Protect, vulnerability counts represent findings marked as mitigated by Protect. Organization admins can enable Protect for eligible GitHub and GitLab projects directly from the Without Protect table. Generic projects do not support Protect setup.

License compliance

Organization- and project-level License compliance views reflect your license policy and findings. Policy editing is under Settings → License Compliance (License compliance policy).

Risk reduction

Risk reduction opens analyses and reports your organization has access to (for example binary risk workflows where enabled). Use the in-app navigation for the latest report types and drill-downs.