Title: ROX-30569: Add SBOM Scanning REST API to Central by dcaravel · Pull Request #18484 · stackrox/stackrox · GitHub
Open Graph Title: ROX-30569: Add SBOM Scanning REST API to Central by dcaravel · Pull Request #18484 · stackrox/stackrox
X Title: ROX-30569: Add SBOM Scanning REST API to Central by dcaravel · Pull Request #18484 · stackrox/stackrox
Description: Description Adds the /api/v1/sboms/scan custom route and handler to facilitate SBOM scanning. Reading the SBOM content from the request and scanning it will be handled in a future PR - a fake response is returned for now. A few decisions to call out (happy to change as needed): Even though SBOMs can represent 'anything', the new API endpoint requires Image write permission (for now) given there isn't another already existing permission that fits better, and the initial use case is primarily for scanning SBOMs for images, seems an OK compromise until we decide if a new permission should be created. The handler code was placed in the image service location to align with ^^, but was kept isolated from the existing SBOM generation handler so that it can be moved elsewhere easily as needed in the future. Max size of request payload set to 100 MB (changable via env) See below for file size data from https://security.access.redhat.com/data/sbom/v1/spdx/ The env var for enabling/disabling the feature is ROX_SBOM_SCANNING The design called for ROX_SBOM_MATCHING - I'm happy to change it, the API endpoint has scan in its path and other user exposed areas of ACS reference 'scanning' - 'SCAN' seemed like the more consistent value. File sizes from: https://security.access.redhat.com/data/sbom/v1/spdx/ Total files processed: 250 Maximum uncompressed size: 429.3 MB (spdx/rhel-10.1.z.json.bz2) Minimum uncompressed size: 2.3 KB (spdx/quarkus-3.27.json.bz2) Average uncompressed size: 19.5 MB Median uncompressed size: 416.3 KB Standard deviation: 65.0 MB Total uncompressed size: 4.8 GB PR Stack: #18503 #18658 #18484 ⬅️ this PR User-facing documentation CHANGELOG.md is updated OR update is not needed documentation PR is created and is linked above OR is not needed Testing and quality the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag CI results are inspected Automated testing added unit tests How I validated my change Unit tests + sending a fake request to the API: $ curl -ki -H "Authorization: Bearer $ROX_API_TOKEN" -X POST https://$ROX_ENDPOINT/api/v1/sboms/scan HTTP/2 400 vary: Accept-Encoding content-type: text/plain; charset=utf-8 content-length: 129 date: Wed, 14 Jan 2026 04:58:14 GMT {"code":3,"message":"validating media type: unsupported media type \"\", supported types [text/spdx+json application/spdx+json]"} $ curl -ki -H "Authorization: Bearer $ROX_API_TOKEN" -H "Content-Type: text/spdx+json" -X POST https://$ROX_ENDPOINT/api/v1/sboms/scan HTTP/2 200 content-type: application/json vary: Accept-Encoding content-length: 467 date: Wed, 14 Jan 2026 04:58:47 GMT { "id": "fake HashId", "scan": { "scanTime": "2026-01-14T04:58:47.653925991Z", "components": [ { "name": "Fake Package #1", "vulns": [ { "cve": "Fake Vuln #1" }, { "cve": "Fake Vuln #2" } ] } ], "operatingSystem": "unknown", "dataSource": { "id": "a87471e6-9678-4e66-8348-91e302b6de07", "name": "Scanner V4" } } } Max request size enforcement $ k set env deploy/central ROX_SBOM_SCAN_MAX_REQ_SIZE_BYTES=2 $ curl -ki -H "Authorization: Bearer $ROX_API_TOKEN" -H "Content-Type: text/spdx+json" -X POST https://$ROX_ENDPOINT/api/v1/sboms/scan -d "this is not actually an SBOM" HTTP/2 400 vary: Accept-Encoding content-type: text/plain; charset=utf-8 content-length: 67 date: Wed, 14 Jan 2026 05:26:39 GMT {"code":3,"message":"request body exceeds maximum size of 2 bytes"}
Open Graph Description: Description Adds the /api/v1/sboms/scan custom route and handler to facilitate SBOM scanning. Reading the SBOM content from the request and scanning it will be handled in a future PR - a fake respo...
X Description: Description Adds the /api/v1/sboms/scan custom route and handler to facilitate SBOM scanning. Reading the SBOM content from the request and scanning it will be handled in a future PR - a fake respo...
Opengraph URL: https://github.com/stackrox/stackrox/pull/18484
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:9ffb4e86-f602-45f2-a217-48461089e83b |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | A152:1DC9FC:E39A32:E8E379:6A4DC365 |
| html-safe-nonce | 1d56c133bfd233055fbaefde0fb6ee01a9e628cb5d008f9f88df19d8df10c454 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBMTUyOjFEQzlGQzpFMzlBMzI6RThFMzc5OjZBNERDMzY1IiwidmlzaXRvcl9pZCI6IjY2NzUyOTM3ODg3NTgxOTcwOTMiLCJyZWdpb25fZWRnZSI6InNlYSIsInJlZ2lvbl9yZW5kZXIiOiJzZWEifQ== |
| visitor-hmac | 0a5a0260e4030711f49697663b2bcb7dea300cce2bf8012c53093efeb10a546f |
| hovercard-subject-tag | pull_request:3172065881 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/stackrox/stackrox/pull/18484/files |
| twitter:image | https://avatars.githubusercontent.com/u/119438707?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/119438707?s=400&v=4 |
| og:image:alt | Description Adds the /api/v1/sboms/scan custom route and handler to facilitate SBOM scanning. Reading the SBOM content from the request and scanning it will be handled in a future PR - a fake respo... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/stackrox/stackrox git https://github.com/stackrox/stackrox.git |
| octolytics-dimension-user_id | 40638982 |
| octolytics-dimension-user_login | stackrox |
| octolytics-dimension-repository_id | 434017296 |
| octolytics-dimension-repository_nwo | stackrox/stackrox |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 434017296 |
| octolytics-dimension-repository_network_root_nwo | stackrox/stackrox |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width