SBOM scanner beta
Drop in a CycloneDX or SPDX file and get a ranked, fix-first patch queue for every component — worst severity, issue count, and the exact version to upgrade to — matched against OSV. 100% private: parsed in your browser, the file never leaves your device. New to SBOMs? Read the 2-minute guide →
Drop your SBOM here or choose a file
CycloneDX or SPDX (JSON) · stays on your deviceMonitor this SBOM optional
Get an email when a new vulnerability appears in these components — free, double opt-in, unsubscribe anytime. Opting in stores your component list + email on our servers so we can alert you; the SBOM file itself still never leaves your browser. How we handle this →
How it works
- Your SBOM is read and parsed in your browser — nothing is uploaded.
- Each component's package URL is checked against OSV (osv.dev), the open vulnerability database covering npm, PyPI, Maven, Go, crates.io, RubyGems, NuGet, Packagist and more.
- Findings come back as a "fix these first" queue — worst severity first, with the version to upgrade to — plus an honest match rate and a list of anything we couldn't identify (never a false "all clear").
- This scanner is ephemeral — when you leave the page the results are gone. Hit Save to My Stack to keep a summary in this browser only (still no upload) so your dashboard can track it over time.
- Optionally monitor the SBOM to be emailed when a new vulnerability appears later — double opt-in, and only the component coordinates are stored on our servers.
We only send package names and versions to OSV — never the file, never your identity. How we handle data →
What this checks — and what it doesn't
This is a known-vulnerability scan: it matches your components to CVEs (via OSV), flags actively-exploited ones (CISA KEV), and reports licence, end-of-life and an honest match rate. That answers “is anything I run known to be vulnerable or exploited?” — and you can export a VEX and evidence from it. We flag issues as they land in OSV/NVD, so a brand-new disclosure may not show until its advisory publishes (often a few days).
It does not verify SBOM integrity or provenance. It won't detect malware, package tampering, leaked secrets, native-binary origins, build-chain custody or runtime behaviour — those need deep binary/build analysis, a different class of tool. And it only sees what's in the SBOM you give it, so generate that from a trusted build for completeness. We'd rather be clear about this than imply a clean scan means “fully secure.” How scoring works →
Frequently asked
Does my SBOM get uploaded anywhere?
No. Your SBOM is parsed entirely in your browser. Only the package names and versions are sent to the OSV vulnerability database to look up known issues — the file itself never reaches IsItPatched or any server.
What formats are supported?
CycloneDX (JSON) and SPDX (JSON) — the two standard SBOM formats. Components are matched by their package URL (purl) against OSV, which covers npm, PyPI, Maven, Go, crates.io, RubyGems, NuGet, Packagist and more.
What does "not analysed" mean?
A component we could not confidently map to an ecosystem OSV understands (e.g. no package URL). We never guess — these are listed separately so you know exactly what was and was not checked.
Does it tell me which version to upgrade to?
Yes. For each vulnerable component the scanner shows the version that clears the issues we found (from OSV’s fix data) and ranks components worst-severity-first, so you get a "fix these first" patch queue rather than a flat list.
Can I be alerted when a new vulnerability appears later?
Optionally, yes. After a scan you can opt in to monitoring: we store only the component coordinates and your email (double opt-in) and email you when a new vulnerability hits one of them. The SBOM file itself still never leaves your browser, and you can unsubscribe anytime.