Compliance
SBOM Evidence Bundle
The signed artifact your auditor or customer accepts in lieu of a portal access.
The SBOM Evidence Bundle is a signed package WASViking® builds directly from your tenant data. It is the artifact you hand to an auditor, a customer due-diligence team, or a regulator, without giving them portal access.
What is in the bundle
| Artifact | Notes |
|---|---|
| CycloneDX 1.5, per submission | Original Sentinel submissions, signed. |
| Consolidated CycloneDX | Org-wide aggregate at bundle creation time. |
| Cover PDF | Brand cover, executive summary, organization metadata. |
| Drift CSV | Component drift over the chosen window. |
| Findings CSV | Open and accepted findings tied to components. |
| Audit CSV | Audit log slice scoped to the bundle window. |
| Compliance CSV | Per-control hits for the primary catalog. |
verification.txt |
The chain of signatures and how to verify them. |
How it is shared
Token plus password, time-limited, revocable. Same model as Posture Shares.
- Operator clicks Inventory → SBOM → Generate Bundle.
- WASViking builds and signs the bundle.
- Operator gets a one-time share URL and a separate password.
- Operator delivers each piece out of band (the URL by email, the password by phone or chat, for example).
- Recipient enters the password on first access and downloads.
Bilateral audit log records every access on both sides. Operators can revoke any time; revocation is immediate.
How verification works
verification.txt documents:
- The signing chain for every artifact in the package.
- The signature algorithm and key fingerprint.
- The bundle creation time and the window it covers.
- The hashing strategy for the consolidated CycloneDX.
A recipient can verify with:
# Pseudocode; the file contains exact commands per artifact
cosign verify-blob \
--signature bundle.sig --certificate bundle.crt \
--certificate-identity-regexp '^[email protected]' \
--certificate-oidc-issuer https://accounts.google.com \
consolidated-cyclonedx.json
The WASViking signing identity and OIDC issuer for each environment are listed in the file.
API
| Method | Path | Scope | Purpose |
|---|---|---|---|
POST |
/v1/sca/bundles |
evidence.share |
Issue a bundle. |
GET |
/v1/sca/bundles |
sca:read |
List bundles for the org. |
POST |
/v1/sca/bundles/{id}/revoke |
evidence.share |
Revoke a bundle. |
GET |
/v1/sca/bundles/{id}/audit |
audit_logs:read |
Access log. |
Example, issue a bundle:
curl -sS https://api.wasviking.com/v1/sca/bundles \
-H "Authorization: ApiKey ${KEY}" \
-H "Content-Type: application/json" \
-d '{
"window_days": 90,
"include": ["sbom", "drift", "findings", "audit", "compliance"],
"description": "Customer XYZ due diligence"
}'
Response:
{
"id": "bundle_88aa12",
"share_url": "https://posture.wasviking.com/b/88aa12d4",
"password": "9F7K-X3WT-4B2P-LMNE",
"expires_at": "2026-08-19T00:00:00Z",
"scope": ["sbom", "drift", "findings", "audit", "compliance"]
}
Both share_url and password are shown once at issuance. Store them.
When to use it
- Customer due diligence. Replace the PDF dump with a verifiable artifact your prospect can validate.
- Auditor binder. Attach the bundle to the per-control evidence in your audit binder.
- Procurement gates. Some procurement processes ask for an SBOM and proof of continuous scanning. The bundle answers both.
When NOT to use it
- For ad-hoc internal sharing inside your organization, the portal Compliance tab is faster.
- For a Slack channel notification, use webhooks; the bundle is not the right unit.