ProGet x SBOM

ProGet Overview > Software Bill of Materials (SBOM)

What is a Software Bill of Materials?

A “Software Bill of Materials” (SBOM) is a document that lists all of all the open-source and third-party components (i.e. library packages) that are used in a software application.

By 2025, Gartner estimates that “60% of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice.” They’re already required by the US federal government.

In addition to these SBOM mandates, software release cycles are getting faster. They’re using more open-source and third-party components, and those components are also changing faster. Manually creating, merging, and analyzing these complex SBOM documents is becoming unrealistic.  

ProGet helps you solve this problem by automatically generating SBOM documents, merging them into a single release, and continuously analyzing and assessing the components for vulnerability and licensing issues.

How ProGet solves SBOM challenges 

ProGet is a self-managed Universal Package Manager and Private Docker Registry. This means you can you can download and install on-premise or in the cloud. It can work offline, and is easy to manage in both Windows and Linux environments.

Generates SBOMs from Projects at Build/CI Time  

After integrating ProGet into your build process / CI server, ProGet will automatically generate SBOM documents from popular technologies like .NET, NodeJS, and Python.

ProGet uses the OWASP CycloneDX Specification for SBOM documents, which is followed by the US Federal Government, and meets several SBOM-related governance requirements, including Executive Order 14028 (also known as “SBOMs for National Security). 

You can import, export, and merge additional SBOM documents from the web UI or by using SCA API .

ProGet SBOM xml
Generate SBOMs in XML
Release analysis and issues

Continuously scan packages and release for vulnerability, license, and missing packages

ProGet can automatically scan the third-party, open-source packages and container images that you’re using for vulnerabilities, and detect the license agreements that govern the third-party, open-source packages that you use.

ProGet will also detect when a package you’re using is not stored in ProGet, and accessed directly from the open internet.

SBOM documents generated by ProGet include specific package versions and their license agreements, as well as any known vulnerabilities in the components.  

Assessing issues and triage violations

ProGet goes beyond generating SBOM documents, and will routinely analyze your releases (both in-flight and in production) for new vulnerabilities or unwanted licenses in the packages it uses.

You’ll also can be alerted of these issues, and then take actions based on issues discovered.

To help you assess issues, ProGet can also automatically assess new vulnerabilities based on a vulnerability’s CVE Score. You can also define rules to block or allow downloads based on a package’s license.

Issue assesment

Get Started with Software Bill of Materials

To help you evaluate ProGet’s Software Bill of Materials features, we’d be happy to provide a personalized demonstration. We can also provide a trial license if you’d like to try out some of the features that aren’t available in the free edition.