Free & Open Source • Industry Standards

Software Transparency
at Scale

Operationalize SBOM, VEX, and VDR standards with a practical framework designed for enterprise scale.

A free and open source framework built for producers and consumers.

Software Transparency in Software Supply Chains

Content Requirements

What to include

Guidance on what information to include, why it is needed, and how to describe SBOM, VEX, and VDR use cases consistently.

{
  "bomFormat": "CycloneDX",
  "metadata": {
    "timestamp": "2026-02-26T10:45Z"
  },
  "component": "example-api@2.4.1",
  "vulnId": "CVE-2026-1234"
}

Explore Content Requirements

Operational Model

How to run it daily

Practical workflows for producing, distributing, and using SBOM, VEX, and VDR artifacts across producer and consumer teams.

GenerateValidateAct

Trigger SBOM/VEX updates from events

Validate in existing security pipelines

Turn validation results into clear next steps

Explore Operational Model

Assessment Tool

Measure progress

Track maturity over time and prioritize the highest-value improvements.

Current maturity snapshot

SBOM quality

Operational workflow

Automation coverage

Start Assessment

Content Requirements

Operational Workflows

Maturity Progress Tracking

Bridging the gap between standards and execution.

Standards like SPDX and CycloneDX provide strong structures for transparency documents. In practice, it can still be difficult to describe specific use cases consistently and connect those artifacts to day-to-day operations.

The Framework provides practical operational guidelines. It brings together content requirements, operational workflows, and maturity assessment so teams can implement SBOM, VEX, and VDR practices without reinventing the wheel.

Content-Driven

Clear requirements for SBOM, VEX, and VDR

Standards-Aligned

Grounded in CycloneDX and SPDX

Operational

Built for daily producer and consumer workflows

Open Source

Free framework, community maintained