Join waitlist
With public launch · Q3 2026

SBOM generation

The deep dive on how crawin reads your manifests, lock files, and container layers, then produces CycloneDX 1.6 and SPDX 3.0 outputs your auditor and your CI both accept.

What this page will cover

  • Supported ecosystems: npm, pypi, cargo, go modules, maven, gradle, composer, rubygems, cocoapods, swift, nuget, hex, pub, apt — 14 in total
  • Container SBOM via layer-level resolution (Docker, OCI, distroless)
  • cosign signing and SLSA L3 attestation included
  • Side-by-side CycloneDX vs SPDX with the same data
  • CI examples: GitHub Actions, GitLab CI, Bitbucket Pipelines, Jenkins

Want this section first?

Join the waitlist and we email you the moment this page goes live — and the moment the matching product surface ships.

One email when your wave opens. No newsletter, no drip. Unsubscribe is one click. We do not share with third parties. Read our privacy notice.

While you wait
See a real SBOM on the homepage Why the CRA requires this