Check an SBOM — see what is safe to ship
You upload a CycloneDX or SPDX file. You see which components are blocked, which need a second look, and which are fine. The SBOM is sent to Shoulder for checking — your source code stays on your machine.
Drop your SBOM here, or
Or try one of ours:
Or try a demo:
Before
Drop your SBOM here, or
After
Drop your SBOM here, or
Checking your dependencies…
0
Components
0
Blocked
0
Review
0
Allow
0
Unparseable
Highest-risk dependencies
All components
| Decision | Component | Reason | Reachable |
|---|
Decision changed (0)
Version changed (0)
Added (0)
Removed (0)
What happens when you upload
The SBOM you choose is uploaded to Shoulder so we can check each dependency against our intelligence. That's package names, versions, and hashes — your source code never leaves your machine.
Want this to run on every commit? Install the Shoulder CLI and run `shoulder trust` locally. The CLI still queries Shoulder per-dependency for the same intelligence, but it never uploads the SBOM or your source.