Audito Docs
HomeDashboard

Docs

SBOM imports

Supported manifest and SBOM formats and where to upload them.

Supported formats

Audito's importer auto-detects the file format from the filename and contents. Supported formats today:

  • package.json — npm manifest. We extract the dependencies, devDependencies, peerDependencies, and optionalDependencies blocks.
  • package-lock.json — npm v2 / v3 lockfile. Lockfiles win over the manifest when both are uploaded because they carry resolved versions.
  • requirements.txt — pip requirements with version pins.
  • pyproject.toml — PEP 621 / Poetry / uv project manifests.
  • CycloneDX JSON — generic SBOM input. Useful when your build system produces SBOMs for compliance.
  • conda environment files — resolved through Repology to PyPI / debian / alpine where possible; entries that don't map to a scannable ecosystem are reported in warnings.

Files larger than the configured cap are rejected with a clear error message.

Where to import

Two surfaces both flow through the same parser, so behavior is identical:

  • Inside an existing library — open the library detail page, click Import dependencies. The dialog parses the file, lists every entry it found, flags rows that conflict with what's already in the library, and lets you opt to skip conflicts or overwrite. On commit the new rows insert, the changed rows update, and a single dependency.bulk_imported audit event is recorded for the batch.
  • As a brand-new library/dashboard/libraries → New library → Upload. Audito creates the library with the right source_kind for the format you uploaded (e.g. package_json, requirements_txt, pyproject_toml, other for CycloneDX) and inserts every parsed dependency in one go.

Conflict handling

The import dialog highlights rows whose (ecosystem, package_name) pair already exists in the library. By default, conflicts are skipped — your existing row keeps its version_spec, resolved_version, and notes. Toggle "overwrite conflicts" if you'd rather the import update them in place.

Within a single batch, duplicate (ecosystem, package_name) rows are de-duplicated automatically — common when a manifest and lockfile shadow the same package.

What happens after commit

If at least one row was inserted or updated, Audito triggers a library scan in the background (the same scan that runs on manual library creation). You don't need to refresh — the activity feed and findings inbox start updating once the scan finishes.

Exports

Outbound SBOM export isn't part of the current product. Audito today is an inbound SBOM consumer; if you need to round-trip CycloneDX out to another tool, file an issue on the repo with your use case.