EndoScan EndoScan SBOM risk intelligence
About

What EndoScan is.

SBOM risk intelligence — built to surface component exposure before it becomes an incident.

The problem Software bills of materials exist. Acting on them doesn't.

Most teams already generate SBOMs as part of their build pipeline. The harder problem is knowing what to do with them — which components are end-of-life, which carry known vulnerabilities with a high severity score, and crucially, who owns the application that depends on them.

Advisories land in the wrong inbox. EOL notices get missed. Vulnerability reports cover the whole organisation but reach nobody in particular. EndoScan is the layer between your SBOM output and the people who need to act.

How it works Upload once. Enrich continuously.

You register your applications, upload CycloneDX or SPDX inventories, and EndoScan takes it from there. Components are normalised using Package URLs (PURLs) and matched against OSV.dev for vulnerability data and endoflife.date for lifecycle status.

Enrichment data is cached per component version with configurable TTLs — so repeated scans across multiple applications reuse what's already known rather than making redundant provider calls. When a threshold is crossed, alerts are routed to the owner of the affected application.

Design principles Ownership-aware. Dependency-free. Incrementally adoptable.
  • Ownership at the core — every application has a named owner. Alerts go to that person, not a shared queue.
  • No third-party lock-in — no external identity providers, no tracking, no analytics. Enrichment data comes from open, public sources.
  • Incremental adoption — start with a single application and a single SBOM upload. The schema and pipeline are designed to grow with your usage.
  • Minimal trust surface — no external identity providers, no tracking, no analytics. Authentication is handled entirely within the application.
Technology What it's built on
  • PHP 8.3 with strict types and PSR-4 autoloading — no framework
  • MariaDB with versioned migrations and a schema designed for cache-first enrichment
  • Background worker for async scan processing and file retention
  • PHPUnit 11 integration test suite with GitHub Actions CI
  • WebAuthn passkeys and TOTP two-factor authentication
Who built this SilverDay Media

EndoScan is built and operated by SilverDay Media, a small software studio based in Germany. It runs as a private service for internal application portfolio management.

Questions or feedback: klingner@silverday.de