Getting Started: Product Security

Understanding the Manifest SBOM Workflow

Upload your SBOMs

Take what you already have, and immediately get a full analysis

Risk Analysis and Reporting

Understand your risk at the SBOM and Product level and export reports for compliance artifacts.

Add Product Heirarchy

Enable yourself to answer questions at the product level

Automate SBOM Generation

Ensure you always have the latest SBOM for visibility and control

Setup Workflows

Prioritize vulnerabilities, set up alerts, assign owners, and track fixes across products.

Automate Compliance Artifact Delivery

Automatically deliver consolidated SBOMs, vulnerability reports, and license reports.

Getting Data Into the Tool Right Away

Uploading your first SBOM

Manifest makes uploading SBOMs easy, through a variety of approaches. The fastest way to get started to manually upload (or drag-and-drop) an SBOM on Manifest's Uploads page.

If you don't already have an SBOM, you can Download a Sample SBOM

To import an SBOM into Manifest:

Go to the Uploads page at the bottom of the left-hand navigation menu.
Drag and drop your CycloneDX or SPDX SBOM in JSON format into the dropzone at the top of the screen.
Once the SBOM has finished processing, the SBOM will appear in both Uploads and Assets

Other ways to get SBOMs

Public Github Repositories can be immediately analyzed by using a Repository URL. Manifest will automatically scan the code and output an analysis.

Visualizing Your Risk Analysis

Now that you have some SBOM data in the platform, lets walk through assessing risk.

Go to the Assets page, and click into the asset you uploaded
Take a look at the risk summary. You can also download the Asset Report for a high level overview

Click on the Components tab
- This is a visual representation of the libraries in the software, so that you don't have to ever look at a JSON file again.
Click on the Vulnerabilities tab
- Click into an example vulnerability, and start investigating
  - Understand our Scoring Methodology
  - Understand how Manifest matches for vulnerabilities
  - Understand how to remediate the vulnerability in the Fixes tab
  - Triage a vulnerability to show the work your team would be doing
  - Generate a Vulnerability Disclosure Report to share your Vulnerability efforts externally
Check in the Actions tab if a ticket has been opened for this vulnerability
- Download the Vulnerability report to share with others
- Integrate with a ticketing system to open a ticket on the vulnerability
- Generate a VEX Document for Vulnerability Disclosure
Click on the Versions tab of the asset
- As you upload new versions of the SBOM, you will be able to see all previous versions of the same SBOM and track vulnerabilities over time.

Creating Product Hierarchy

Products enable you to continuously represent a product with one SBOM, and deliver reports and compliance artifacts for the product as a whole. We want to enable you to attach SBOMs to a hierarchy that makes sense for your organization and the products you deliver.

This allows you to continuously merge multiple SBOMs into a single application, and deliver compliance artifacts for the consolidated grouping. Many organizations have a product they are delivering that involves multiple software repositories and a container.

Creating Products

Click onto the Products page.
Click "+ New Product" to create a product.

Fill in the required details such as name and product version
Go to the Assets page, and select the checkbox for one or more assets
Click the "Add to Product" button

Select the product you want the assets to be a part of and add them

Analyzing Products for Compliance Artifact Delivery

Go back to the Products page and click into the product we just added assets to
- Now you can visualize the product with the riskiest vulnerabilities and assets across the entire product
Click on the Download button on the top right of the screen. This allows you to download three compliance artifacts for the entire product:
- Vulnerability Disclosure Report (VDR). Export all triage data for all assets in the product
- Consolidated SBOM. Download your SBOM in a single CycloneDX or SPDX format.
- License Report. Exports a list of all components with problematic license statuses.

Automating SBOM Generation

The Manifest Scanner is CLI based and able to be used in various platforms and ecosystems. You can use the scanner in any CI/CD Pipeline or manually on source code. We have provided several example CI/CD Pipeline templates in our documentation to make it easier. The Manifest CLI tool supports SBOM generation for the following languages

If you already have SBOMS being generated by a tool, here are your options to automate the collection of those:

Manifest CLI
Manifest API

Setup your Workflows

Add Ticketing Integrations
- We want you to be able to communicate with your development team using their ticketing system. See here for guidance on setting up integrations with ticketing systems.
Set Up License Usage Compliance
- Review the approved license page to set what licenses you want to allow and the ones to flag and be alerted on
Add Users
- Ensure that everybody on your team has access to the tool with the proper permissions
Setup SSO
- The default login method is a magic link through email to get access. Setup SSO if you would like to integrate with your existing authentication.
Alerts and Notifications
- Manifest offers two types of notifications on the platform. You can get alerted when:
  - A new vulnerability that affects your existing assets is discovered, as part of our continuous monitoring
  - A new SBOM is uploaded that immediately violates specific policies.