EndoScan EndoScan SBOM risk intelligence
Platform

Everything you need to act on your SBOMs.

EndoScan turns static inventory files into a live risk surface — enriched, versioned, alerted, and owned.

Upload and enrich From file to risk surface in seconds.

Upload a CycloneDX or SPDX JSON file and EndoScan handles the rest. Format is detected automatically. Components are normalized by Package URL, deduplicated by SHA-256, and sent to the background enrichment pipeline.

  • Vulnerability lookup via OSV.dev — covers npm, PyPI, Maven, Go, Cargo, and hundreds more ecosystems.
  • Lifecycle status via endoflife.date — release cycles, support windows, EOL dates.
  • Real-time progress tracking — watch enrichment advance step by step after upload.
  • Notification when the scan completes or fails, delivered straight to your inbox.
Version and compare Every upload is a version. Every version is comparable.

New uploads automatically archive the previous version. Assign version labels or let EndoScan generate them. Restore any archived version as current with a single click.

  • Side-by-side diff between any two versions — added, removed, changed, and unchanged components.
  • Full inventory per version with aggregated vulnerability counts and lifecycle badges.
  • On-demand vulnerability detail for any component, with severity breakdown.
Download and share Export SBOMs. Share them without granting access.

Download any version as CycloneDX 1.5 or SPDX 2.3 JSON — generated on the fly from stored component data, including PURL, vendor, supplier, and hash metadata.

  • One-time share links — generate a tokenized URL that lets anyone download the current SBOM without an account.
  • Configurable per link: format, expiry date, maximum downloads, and optional password.
  • Full audit trail — every download is logged with IP, user agent, and timestamp.
  • Revoke any share link instantly.
Alert and notify Route findings to the person who owns the application.

Configure alert rules per application. When a scan crosses a threshold, the owner gets notified — not a shared queue.

  • EOL alerts with configurable lead time (30, 60, or 90 days before end of life).
  • New CVE alerts with severity filters — critical, high, medium, or low.
  • Delivery via in-app notification centre and email.
  • Enable, disable, or delete alert rules at any time.
Own and control Every application has a named owner. Every action has a trail.

Applications are private by default. Access is governed by ownership, not organisation-wide permissions. Admins get a full audit log of user and application changes.

  • Application metadata for inhouse and third-party systems — provider, contact, owner, developer.
  • Role-based administration: user, admin, super admin.
  • Audit log captures every admin action with actor, target, outcome, and detail.
Secure by default No SaaS dependency. No tracking. No external identity provider.
  • Passkey authentication (WebAuthn) for passwordless sign-in on supported devices.
  • TOTP two-factor with backup codes via any authenticator app.
  • Argon2id password hashing, CSRF protection, and per-route rate limiting.
  • No third-party analytics, tracking, or external identity providers. Enrichment data comes from open, public sources.