Forenzy Manifest
Know exactly what is inside your software before it ships
Forenzy Manifest is a software composition analysis (SCA) and SBOM tool that inventories every open-source component in your code — direct and transitive — generates an accurate Software Bill of Materials in CycloneDX or SPDX format, and maps each component against known vulnerabilities and license risks.
Manifest inventories dependencies and generates CycloneDX or SPDX SBOMs; prioritized results feed Forenzy Prism ASPM so security and engineering share one backlog.
Your stack
How SCA and SBOM fit your supply-chain program
- SCA finds vulnerabilities and license risk; an SBOM is the auditable inventory — Manifest delivers both.
- Complements SAST (your code) by covering open-source and transitive dependencies.
- Supports customer and regulator SBOM requests (EU Cyber Resilience Act, EO 14028-style supply-chain due diligence).
- CI/CD gates in GitHub Actions, GitLab and Jenkins block risky merges before production.
- Findings integrate with Forenzy Prism for cross-tool prioritization alongside DAST and SAST.
The problem
You ship more code you didn't write than code you did.
Modern applications are mostly open-source. Any one library — or one of its dependencies — can carry a known CVE or a license that creates legal exposure, and the riskiest ones are usually buried deep in the transitive tree where most teams never look.
Dependency scanning
Inventory every open-source component across your repos, including deep transitive dependencies.
SBOM generation
Produce accurate CycloneDX and SPDX bills of materials on demand, ready for customers and auditors.
Known-vuln detection
Match components against CVE/NVD data, enriched with EPSS and CISA KEV exploit signals.
License compliance
Flag copyleft and incompatible licenses (GPL, AGPL) before they turn into legal exposure.
Reachability & fix paths
Prioritize flaws actually reachable in your code, with the exact upgrade that fixes them.
CI/CD gates
Fail builds or block merges on policy violations across GitHub Actions, GitLab and Jenkins.
Dependency & SBOM inventory view
Full dependency visibility from commit to production
Every direct and transitive dependency, license and known flaw — mapped before it ships.
Capabilities
Full dependency visibility from commit to production
Every direct and transitive dependency, license and known flaw — mapped before it ships.
Dependency scanning
Inventory every open-source component across your repos, including deep transitive dependencies.
SBOM generation
Produce accurate CycloneDX and SPDX bills of materials on demand, ready for customers and auditors.
Known-vuln detection
Match components against CVE/NVD data, enriched with EPSS and CISA KEV exploit signals.
License compliance
Flag copyleft and incompatible licenses (GPL, AGPL) before they turn into legal exposure.
Reachability & fix paths
Prioritize flaws actually reachable in your code, with the exact upgrade that fixes them.
CI/CD gates
Fail builds or block merges on policy violations across GitHub Actions, GitLab and Jenkins.
Auto-fix pull requests
Open PRs that bump vulnerable dependencies and run your tests automatically.
Supply-chain alerts
Get notified the moment a new flaw lands in a component you already ship.
Why Forenzy
Built for software supply chain compliance.
Generate CycloneDX and SPDX SBOMs on every build, flag license and CVE risk in CI, and feed prioritized results into Forenzy Prism ASPM.
Integrations
Connects to the tools you already run
Package ecosystems
npm, Maven, Gradle, pip, Composer, Go modules, NuGet, RubyGems
CI/CD
GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, CircleCI
SBOM output
CycloneDX, SPDX, SARIF for downstream tools
Ticketing & ASPM
Jira, GitHub Issues, ServiceNow, Forenzy Prism
Use cases
Where teams deploy it first
Pre-release SBOM generation
Ship CycloneDX and SPDX bills of materials with every release for customers and regulators.
Log4Shell-style response
Instantly query every service running a vulnerable component instead of manual repo searches.
License risk gates
Fail CI when copyleft or incompatible licenses enter the dependency tree.
Proof in practice
Customer outcomes
Financial services
Fintech team answered customer SBOM requests in hours
Challenge: Enterprise buyers required SBOMs; manual spreadsheets could not keep up with weekly releases.
Outcome: Automated SBOM on every build plus reachability-ranked CVE reports for security review.
When the next widespread open-source CVE breaks, teams with Manifest confirm exposure across services in minutes — not days of manual repo searches.
FAQ
Common questions
What is the difference between SCA and SBOM?
SCA is the analysis: finding vulnerabilities and license risks in your dependencies. An SBOM is the output inventory: a complete list of every component in your software. Manifest does both.
Does Forenzy Manifest catch transitive dependencies?
Yes — Manifest maps the full dependency tree, not just packages you import directly, which is where most real supply-chain risk hides.
What SBOM formats does Forenzy Manifest support?
Manifest generates CycloneDX and SPDX Software Bills of Materials on demand — formats auditors and enterprise customers commonly require.
What is the difference between SCA and SAST?
SAST analyzes your proprietary source code for security flaws. SCA inventories open-source and third-party components for known CVEs and license risk. Manifest focuses on SCA and SBOM generation; both complement SAST in a full AppSec program.
Can Manifest generate SBOMs for customer and audit requests?
Yes. Manifest produces CycloneDX and SPDX SBOMs on demand for releases, enterprise procurement questionnaires, and supply-chain compliance programs such as EU Cyber Resilience Act-style due diligence.
