Open Source Compliance and SBOM Generation

Audit-Ready Compliance Ships With Every Component

ActiveState delivers signed SBOMs, full provenance, and license metadata by default on every artifact your organization consumes.

Compliance data shouldn't require a scramble

Most teams spend weeks gathering dependency data, chasing license information, and assembling SBOMs before an audit. ActiveState generates that documentation automatically every time a component is built. When the auditor asks, the data is already there.

Signed SBOMs on every artifact

Every package, runtime, and container image includes a complete Software Bill of Materials generated at build time. SBOMs are cryptographically signed and include the full dependency tree, licensing data, and build provenance.

100%

Full dependency trees including transitive and OS-level packages

Cryptographic

Signatures for tamper-proof verification

Machine Readable

Compatible with SPDX and CycloneDX

100% visibility into your open source usage

ActiveState tracks every component across your catalog, including dependencies your team didn't select directly. Transitive packages, OS-level libraries, and nested dependencies are all documented and monitored.

12 ecosystems

Complete visibility across every language your org uses

Source to deployment

Track every component from original source code to production

License monitoring

Monitor license types across your full inventory, continuously

Built for the frameworks that matter

ActiveState's provenance and SBOM capabilities support the compliance requirements enterprises face most frequently.

FedRAMP

Full supply chain transparency, build provenance, and component-level traceability required for federal authorization.

SOC 2

Documented controls over software dependencies, change management, and vulnerability remediation processes.

Executive Order 14028

Meets the SBOM requirements outlined in the 2021 executive order on improving national cybersecurity.

EU Cyber Resilience Act (CRA)

Supports the due diligence and vulnerability handling requirements for products with digital elements sold in the EU market.

PCI DSS and HIPAA

License tracking and vulnerability management documentation for regulated industries handling sensitive data.

Continuous compliance, not point-in-time snapshots

Compliance isn't a one-time audit. ActiveState monitors your catalog continuously and automatically updates SBOMs when components are rebuilt or remediated. Your compliance posture stays current without manual effort.

Daily security feed

monitors every component in your catalog

Auto SBOM regeneration

when components are updated

VEX advisories

provide real-time vulnerability context

Compliance at scale across regulated industries

FAQs

What SBOM formats does ActiveState support?

SBOMs are generated in machine-readable formats compatible with SPDX and CycloneDX, the two most widely adopted standards for software supply chain documentation.

Does ActiveState track license types?

Yes. Every component includes verified license metadata. You can set license policies at the catalog level to block components with incompatible licenses before they enter your environment.

How does ActiveState work with existing compliance tooling?

ActiveState SBOMs and VEX advisories integrate with your existing GRC and compliance platforms. The data is available programmatically and can be pulled into your audit workflows automatically.

Do SBOMs cover transitive dependencies?

Yes. Every SBOM includes the full dependency tree, from direct imports through transitive and OS-level packages. Nothing is hidden.

Still have questions?

Talk to our team.

See compliance documentation that builds itself

Book a demo and we'll show you how ActiveState generates audit-ready SBOMs and provenance data across your open source inventory.