# Best Software Bill of Materials (SBOM) Software - Page 2

*By [Adam Crivello](https://research.g2.com/insights/author/adam-crivello)*


Software bill of materials (SBOM) solutions generate, ingest, manage, and monitor a machine-readable inventory of the components within software supply chains. The components covered include libraries, packages, modules, associated licenses, and more. Companies and developers use SBOM software to deliver and annotate comprehensive SBOMs for their software’s third party and open source components .

These solutions allow users to comply with government mandates that require the provision of a minimum SBOM. Maintaining and monitoring SBOMs also helps companies perform continuous risk assessments, though vulnerability remediation is not the primary focus of such tools. [software composition analysis (SCA) tools](https://www.g2.com/categories/software-composition-analysis) scan software supply chains’ components and dependencies at the code level to identify and remediate security vulnerabilities, whereas SBOM software automates the standardized presentation of those elements for transparency, observability, and compliance.

To qualify for inclusion in the Software Bill of Materials (SBOM) category, a product must:

- Automatically ingest and generate SBOMs in standard formats like CycloneDX and SPDX
- Continuously monitor and update SBOMs based on component versions, associated licenses, dependencies, and more
- Alert users of non-compliant elements in their software supply chain
- Allow users to annotate SBOMs
- Facilitate compliance with government regulations







## How Many Software Bill of Materials (SBOM) Software Products Does G2 Track?
**Total Products under this Category:** 33

### Category Stats (Jul 2026)
- **Average Rating**: 4.48/5 (↓0.03 vs Jun 2026) The average rating of products in this category, based on all submitted ratings
- **Top Trending Product**: Arnica (+0.87%) - Among all products in this category, Arnica recorded the largest rating increase compared to last month
*Last updated: July 10, 2026*


## How Does G2 Rank Software Bill of Materials (SBOM) Software Products?

**Why You Can Trust G2's Software Rankings:**

- 30 Analysts and Data Experts
- 900+ Authentic Reviews
- 33+ Products
- Unbiased Rankings

G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category.


## Which Software Bill of Materials (SBOM) Software Is Best for Your Use Case?

- **Easiest to Use:** [OX Security](https://www.g2.com/products/ox-security/reviews)
- **Best Free Software:** [OX Security](https://www.g2.com/products/ox-security/reviews)


---

**Sponsored**

### JFrog

JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps and MLOps platform, is on a mission to create a world of software delivered without friction from development to production. Driven by a “Liquid Software” vision to keep software continuously flowing, secure, and always up to date, the JFrog Platform serves as the definitive software supply chain system of record. It is uniquely engineered to power organizations as they build, manage, and distribute trusted software with unprecedented speed, security, and scale across hybrid and multi-cloud environments. As software engineering evolves in the AI era, JFrog’s newest offerings address the industry&#39;s most pressing trend: the rise of agentic software development and the hidden security risks of &quot;Shadow AI.&quot; In response to threat actors increasingly targeting developer workflows including a massive surge in malicious open-source AI models and infected packages; JFrog has expanded its platform capabilities to deliver absolute end-to-end visibility and automated compliance. Key new innovations include the JFrog AI Catalog, which enables organizations to centralize, govern, and control the lifecycle of AI models approved for enterprise use. To secure autonomous coding environments, JFrog introduced the Universal MCP Registry and the Agent Skills Registry (developed alongside NVIDIA). These new solutions establish the industry’s first enterprise-grade trust layer to safely manage and store AI agent skills, monitor connections, and instantly block unsafe developer tools or malicious coding extensions right where developers work. Furthermore, the integration of advanced DevGovOps and Runtime Security tools allows teams to replace slow, manual compliance audits with continuous, background policy enforcement. By shifting security left directly into the binary pipeline, JFrog ensures that the volume of AI-assisted code does not outpace an organization&#39;s ability to verify its safety. Today, millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on the universal JFrog Platform to eliminate point-solution fatigue, bridge the governance gap, and securely embrace digital transformation. Learn more at www.jfrog.com or follow us on X @JFrog.



[Visit website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=ppc&amp;secure%5Bad_slot%5D=category_product_list&amp;secure%5Bcategory_id%5D=1008169&amp;secure%5Bchosen_at%5D=2026-07-10T20%3A51%3A45Z&amp;secure%5Bdisplayable_resource_id%5D=1008169&amp;secure%5Bdisplayable_resource_type%5D=Category&amp;secure%5Bmedium%5D=sponsored&amp;secure%5Bplacement_reason%5D=page_category&amp;secure%5Bplacement_resource_ids%5D%5B%5D=1008169&amp;secure%5Bprioritized%5D=false&amp;secure%5Bproduct_id%5D=143017&amp;secure%5Bresource_id%5D=1008169&amp;secure%5Bresource_type%5D=Category&amp;secure%5Bsource_type%5D=category_page&amp;secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fsoftware-bill-of-materials-sbom&amp;secure%5Btoken%5D=7a02a685a19cb96e13ab196c18520e9194d7909956bcdb722a6614543cdf28bb&amp;secure%5Burl%5D=https%3A%2F%2Fjfrog.com%2Fartifactory%2F%3Futm_source%3Dg2%26utm_medium%3Dcpc_social%26utm_campaign%3Dbrand_awareness_banner_ad%26utm_content%3Du-bin&amp;secure%5Burl_type%5D=custom_url)

---

## What Are the Top-Rated Software Bill of Materials (SBOM) Software Products in 2026?
### 1. [MergeBase](https://www.g2.com/products/mergebase/reviews)
MergeBase is revolutionizing software supply chain protection with a full-featured, developer-oriented SCA solution that brings the lowest false positives in the industry and complete DevOps coverage from coding/building to deployment and run-time. MergeBase’s SCA tool analyzes the open-source/third-party libraries for vulnerabilities. Our mission is to protect the software supply chain. We provide a full-featured, developer-oriented solution that has the industry’s lowest false positive rates and complete coverage of the DevOps process.


**Average Rating:** 4.5/5.0
**Total Reviews:** 20

**Who Is the Company Behind MergeBase?**

- **Seller:** [MergeBase Software](https://www.g2.com/sellers/mergebase-software)
- **Year Founded:** 2018
- **HQ Location:** Coquitlam, British Columbia
- **Twitter:** @mergebasesecure (86 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/mergebase/ (1 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Computer Software
- **Company Size:** 40% Small-Business, 35% Mid-Market



#### What Are Recent G2 Reviews of MergeBase?

**"[Revolutionizing Software Supply Chain Protection with MergeBase&#39;s SCA Platform](https://www.g2.com/survey_responses/mergebase-review-7670163)"**

**Rating:** 5.0/5.0 stars
*— Disha K.*

[Read full review](https://www.g2.com/survey_responses/mergebase-review-7670163)

---

**"[MergeBase Detector of risk and vulnerabilities](https://www.g2.com/survey_responses/mergebase-review-7833957)"**

**Rating:** 4.5/5.0 stars
*— Prashant S.*

[Read full review](https://www.g2.com/survey_responses/mergebase-review-7833957)

---



### 2. [Qwiet AI](https://www.g2.com/products/qwiet-ai/reviews)
Qwiet AI delivers comprehensive application security by combining agentic AI with advanced code analysis. In a single scan, the platform provides uniquely accurate SAST, SCA, SBOM, secrets detection, and container analysis that helps dev and security teams find and fix vulnerabilities faster. With its proprietary Code Property Graph (CPG) technology and AI/ML models, Qwiet AI achieves up to 95% reduction in false positives compared to traditional tools, while offering contextual AutoFix that understands the unique context of your code, even across complex enterprise applications. Q: What makes Qwiet AI different from other AppSec solutions? A: Qwiet AI stands out through its agentic AI approach, which enables autonomous vulnerability detection and remediation. The platform&#39;s Code Property Graph technology allows for deeper code analysis and more accurate vulnerability detection, resulting in dramatically fewer false positives than traditional tools. This advanced technology enables the platform to understand code relationships and context at a deeper level, leading to precise vuln detection and contextually appropriate fixes. Q: What security capabilities does the platform include? A: The platform provides comprehensive security coverage including: - Static Application Security Testing (SAST) using a patented CPG-based approach, for vuln detection that is objectively the fastest and most accurate available per the OWASP benchmark - Software Composition Analysis (SCA) for third-party dependency scanning and vulnerability detection in open source components - Automated SBOM generation for supply chain transparency and compliance requirements - Advanced secrets detection to prevent credential exposure and secure sensitive information - Container security analysis built in - AI-powered AutoFix for automated vulnerability remediation with contextually aware patches, powered by the CPG and a custom AI/ML engine with its own LLM - Custom rule creation capabilities for organization-specific security requirements Q: How does Qwiet AI improve development workflows? A: Qwiet AI integrates seamlessly into existing CI/CD pipelines and developer workflows. The platform&#39;s speed (up to 40x faster than traditional scanners) and accuracy mean developers spend less time investigating false positives and more time coding. The AutoFix capability helps developers resolve issues quickly with AI-generated patches that are contextually aware and tailored to your codebase. Additionally, the platform provides IDE integrations and pull request analysis to catch vulnerabilities early in the development process. Q: What do customers think? A: Qwiet AI provides enterprise-grade support with dedicated customer success representatives and technical account managers. The platform consistently receives high marks for customer support, with a 97% &quot;would recommend&quot; rate in Gartner&#39;s Voice of the Customer. Customers receive comprehensive onboarding assistance, ongoing technical support, and regular check-ins to ensure successful implementation and adoption. Q: How can I get started with Qwiet AI? A: Qwiet AI offers self-service access, self-guided demos, and AE-guided demos, depending on your needs. You can request a personalized demo through the company website at qwiet.ai to see how the platform addresses their specific security challenges. You can also sign up for self-service access through the web site, or access documentation and integration guides there.


**Average Rating:** 4.8/5.0
**Total Reviews:** 3

**Who Is the Company Behind Qwiet AI?**

- **Seller:** [Qwiet AI](https://www.g2.com/sellers/qwiet-ai)
- **HQ Location:** San Jose, California, United States
- **Twitter:** @ShiftLeftInc (1,164 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/qwiet (45 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 67% Enterprise, 33% Small-Business


#### What Are Qwiet AI's Pros and Cons?

**Pros:**

- Collaboration (1 reviews)
- Customer Support (1 reviews)
- Easy Integrations (1 reviews)
- Integration Support (1 reviews)
- Team Collaboration (1 reviews)

**Cons:**

- Command Line Difficulty (1 reviews)
- Limited Customization (1 reviews)
- Limited Features (1 reviews)
- UX Improvement (1 reviews)


### What Do G2 Reviewers Say About Qwiet AI?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **collaborative support** from Qwiet AI, ensuring seamless integration and teamwork in their workflows.
- Users value the **highly responsive and collaborative customer support** from Qwiet AI, enhancing their integration experience.
- Users appreciate the **easy integrations** of Qwiet AI, finding it seamless to incorporate into CI/CD pipelines.
- Users value the **thorough documentation** of Qwiet AI, facilitating easy integration into CI/CD pipelines.
- Users value the **effective team collaboration** of Qwiet AI, facilitating easy integration and strong customer support.

**Cons:**

- Users find the **command line difficulty** frustrating as custom policies can only be created via the CLI.
- Users find the **limited customization** frustrating, as creating policies requires using the CLI instead of a user-friendly interface.
- Users find the **limited features** of Qwiet AI restrictive, lacking a user-friendly interface for customization.
- Users find the lack of a **user interface for custom policy creation** limits accessibility and ease of use.

#### What Are Recent G2 Reviews of Qwiet AI?

**"[Seamless Integration with Responsive Support](https://www.g2.com/survey_responses/qwiet-ai-review-10278075)"**

**Rating:** 5.0/5.0 stars
*— Brooks S.*

[Read full review](https://www.g2.com/survey_responses/qwiet-ai-review-10278075)

---

**"[A great easy-to-use SAST Scanner](https://www.g2.com/survey_responses/qwiet-ai-review-8626743)"**

**Rating:** 5.0/5.0 stars
*— Verified User in Retail*

[Read full review](https://www.g2.com/survey_responses/qwiet-ai-review-8626743)

---



### 3. [rezilion](https://www.g2.com/products/rezilion/reviews)
Rezilion&#39;s software attack surface management platform automatically secures the software you deliver to customers, giving teams time back to build. Rezilion works across your stack, helping you to know what software is in your environment, what is vulnerable, and what is actually exploitable, so you can focus on what matters and remediate automatically. KEY FEATURES: - Dynamic SBOM Create an instant inventory of all the software components in your environment - Vulnerability Validation Know which of your software vulnerabilities are exploitable, and which are not, through runtime analysis - Vulnerability Remediation Cluster vulnerabilities to eliminate multiple problems at once and automatically execute remediation work to save teams time. WITH REZILION, ACHIEVE: - 85% reduction in patching work after filtering out unexplainable vulnerabilities - 24/7 Continuous monitoring of your software attack surface -600% Faster time to remediate when you focus on what matters and patch automatically - 360-degree visibility across your entire DevSecOps stack -- not just in silos


**Average Rating:** 4.4/5.0
**Total Reviews:** 11

**Who Is the Company Behind rezilion?**

- **Seller:** [rezilion](https://www.g2.com/sellers/rezilion)
- **Year Founded:** 2018
- **HQ Location:** Be&#39;er Sheva, Israel
- **Twitter:** @rezilion_ (198 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/18716043 (5 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 45% Mid-Market, 36% Enterprise



#### What Are Recent G2 Reviews of rezilion?

**"[Platform for Automated Software Supply Chain Security](https://www.g2.com/survey_responses/rezilion-review-8137689)"**

**Rating:** 4.0/5.0 stars
*— Dr. Rajesh V.*

[Read full review](https://www.g2.com/survey_responses/rezilion-review-8137689)

---

**"[A New Era of Software Supply Chain Security](https://www.g2.com/survey_responses/rezilion-review-8402929)"**

**Rating:** 5.0/5.0 stars
*— Jawahar A.*

[Read full review](https://www.g2.com/survey_responses/rezilion-review-8402929)

---



### 4. [SCANOSS](https://www.g2.com/products/scanoss/reviews)
SCANOSS is the industry-leading open source software intelligence provider, offering the largest database of open source information available. SCANOSS delivers cutting-edge tools and services that help businesses and developers detect, manage, and secure their open source components. By identifying license obligations, security vulnerabilities, and other risk concerns, SCANOSS ensures that organisations can harness the power of open source safely and securely throughout the development pipeline.


**Average Rating:** 4.3/5.0
**Total Reviews:** 2

**Who Is the Company Behind SCANOSS?**

- **Seller:** [SCANOSS](https://www.g2.com/sellers/scanoss)
- **Year Founded:** 2021
- **HQ Location:** Madrid, ES
- **LinkedIn® Page:** https://www.linkedin.com/company/scanoss (24 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 100% Small-Business



#### What Are Recent G2 Reviews of SCANOSS?

**"[SCANOSS Open Source Inventorying Engine](https://www.g2.com/survey_responses/scanoss-review-7288704)"**

**Rating:** 4.5/5.0 stars
*— Joe H.*

[Read full review](https://www.g2.com/survey_responses/scanoss-review-7288704)

---

**"[Great product with a valuable solution but the paid SaaS Tier might be a bit expensive for some](https://www.g2.com/survey_responses/scanoss-review-7283528)"**

**Rating:** 4.0/5.0 stars
*— Joe H.*

[Read full review](https://www.g2.com/survey_responses/scanoss-review-7283528)

---



### 5. [Scribe Security Trust Hub](https://www.g2.com/products/scribe-security-scribe-security-trust-hub/reviews)
Scribe is a SaaS solution that provides continuous assurance for the security and trust worthiness of software artifacts, acting as a trust hub between software producers and consumers. Scribe centralized SBOM management system allows to effortlessly manage and share products SBOMs along with all their associated security aspects in a controlled and automated manner.



**Who Is the Company Behind Scribe Security Trust Hub?**

- **Seller:** [Scribe Security](https://www.g2.com/sellers/scribe-security)
- **HQ Location:** Tel Aviv, IL
- **LinkedIn® Page:** https://www.linkedin.com/company/scribe-security (25 employees on LinkedIn®)






### 6. [Sonatype SBOM Manager](https://www.g2.com/products/sonatype-sbom-manager/reviews)
Sonatype SBOM Manager helps organizations generate, centralize, and manage Software Bills of Materials (SBOMs) across their software portfolio so teams can meet compliance requirements and respond faster to supply chain risk. SBOMs are increasingly required for procurement, audits, and security programs - but collecting them from many teams and vendors, keeping them current, and turning them into actionable risk insights is hard. SBOM Manager brings SBOM creation and management together in a single place so security, compliance, and procurement teams can standardize how SBOMs are produced, stored, shared, and reviewed. Key capabilities: - Generate SBOMs for applications in widely used formats (CycloneDX and SPDX) - Import and manage SBOMs received from third-party software suppliers - Centralize SBOMs across teams and products for consistent governance and audit readiness - Support risk and compliance workflows by making SBOM data easy to access, distribute, and operationalize SBOM Manager pairs Sonatype’s component intelligence with dedicated SBOM management so organizations can strengthen their software supply chain security posture, stay ahead of evolving requirements, and reduce the effort of proving compliance.



**Who Is the Company Behind Sonatype SBOM Manager?**

- **Seller:** [Sonatype](https://www.g2.com/sellers/sonatype)
- **Year Founded:** 2008
- **HQ Location:** Fulton, US
- **Twitter:** @sonatype (10,589 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/210324/ (551 employees on LinkedIn®)






### 7. [Veracode Application Security Platform](https://www.g2.com/products/veracode-application-security-platform/reviews)
Veracode helps companies that innovate through software deliver secure code on time. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline,empower developers to fix security defects, and scales your program through best practices to achieve your desired outcomes. Veracode covers your all your AppSec needs in one solution through a combination of five analysis types available for 24 programming languages, 77 frameworks, and application types as varied as microservices, mainframe and mobile apps.


**Average Rating:** 3.8/5.0
**Total Reviews:** 25

**Who Is the Company Behind Veracode Application Security Platform?**

- **Seller:** [VERACODE](https://www.g2.com/sellers/veracode)
- **Year Founded:** 2006
- **HQ Location:** Burlington, MA
- **Twitter:** @Veracode (21,950 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/27845/ (502 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Information Technology and Services
- **Company Size:** 69% Enterprise, 31% Mid-Market


#### What Are Veracode Application Security Platform's Pros and Cons?

**Pros:**

- Accuracy of Findings (2 reviews)
- Detailed Information (2 reviews)
- Scanning Efficiency (2 reviews)
- Security (2 reviews)
- Vulnerability Detection (2 reviews)

**Cons:**

- Lack of Information (2 reviews)
- Poor Customer Support (2 reviews)
- Complexity (1 reviews)
- Confusing Interface (1 reviews)
- Cost Issues (1 reviews)


### What Do G2 Reviewers Say About Veracode Application Security Platform?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **accuracy of findings** from Veracode, providing clear reports with corrections and suggestions for improvement.
- Users value the **single entry point for application security** , enabling detailed insights and effective security scanning.
- Users value the **scanning efficiency** of Veracode, enabling precise reports and seamless integration into CI/CD pipelines.
- Users value the **robust security features** of Veracode, effectively addressing vulnerabilities and ensuring high security standards.
- Users value the **effective vulnerability detection** in Veracode, enhancing security with comprehensive code analysis and integration capabilities.

**Cons:**

- Users experience **a lack of information** due to mismatches in documentation, pressure from sales, and unclear upload statuses.
- Users express frustration over **poor customer support** , citing issues with communication and service reliability.
- Users find the **overly complex license model** challenging, contributing to frustration and misalignment with expectations.
- Users find the **confusing interface** of Veracode to be challenging, especially during unsuccessful uploads without immediate notifications.
- Users are concerned about the **cost issues** related to complex licensing and justifying customer success investments.

#### What Are Recent G2 Reviews of Veracode Application Security Platform?

**"[Streamlined Security, Effortless Integration](https://www.g2.com/survey_responses/veracode-application-security-platform-review-11757799)"**

**Rating:** 5.0/5.0 stars
*— Bhanu Prakash M.*

[Read full review](https://www.g2.com/survey_responses/veracode-application-security-platform-review-11757799)

---

**"[Clear, Unified View of Application Capabilities](https://www.g2.com/survey_responses/veracode-application-security-platform-review-12910910)"**

**Rating:** 4.5/5.0 stars
*— Christopher S.*

[Read full review](https://www.g2.com/survey_responses/veracode-application-security-platform-review-12910910)

---


#### What Are G2 Users Discussing About Veracode Application Security Platform?

- [What is difference between veracode and SonarQube?](https://www.g2.com/discussions/what-is-difference-between-veracode-and-sonarqube)
- [What is veracode software composition analysis?](https://www.g2.com/discussions/what-is-veracode-software-composition-analysis)
- [What is veracode used for?](https://www.g2.com/discussions/what-is-veracode-used-for)
- [What is the veracode application security platform?](https://www.g2.com/discussions/what-is-the-veracode-application-security-platform)

### 8. [Vigiles](https://www.g2.com/products/vigiles/reviews)
Vigiles is a best-in-class vulnerability monitoring and remediation tool that combines a curated CVE database, continuous security feed based on your SBOM, powerful filtering, and easy triage tools so you don’t get blindsided by vulnerabilities.


**Average Rating:** 4.2/5.0
**Total Reviews:** 6

**Who Is the Company Behind Vigiles?**

- **Seller:** [Timesys](https://www.g2.com/sellers/timesys)
- **Year Founded:** 1996
- **HQ Location:** Pittsburgh, US
- **Twitter:** @Timesys (540 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/timesys-corporation/ (52 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 83% Small-Business, 17% Mid-Market



#### What Are Recent G2 Reviews of Vigiles?

**"[A Revolutionary Security Solution for Peace of Mind](https://www.g2.com/survey_responses/vigiles-review-8284121)"**

**Rating:** 4.0/5.0 stars
*— Prashant  S.*

[Read full review](https://www.g2.com/survey_responses/vigiles-review-8284121)

---

**"[Vigiles review](https://www.g2.com/survey_responses/vigiles-review-8911852)"**

**Rating:** 4.0/5.0 stars
*— Tushar T.*

[Read full review](https://www.g2.com/survey_responses/vigiles-review-8911852)

---




## What Is Software Bill of Materials (SBOM) Software?

[DevSecOps Software](https://www.g2.com/categories/devsecops)

## What Software Categories Are Similar to Software Bill of Materials (SBOM) Software?

- [Static Application Security Testing (SAST) Software](https://www.g2.com/categories/static-application-security-testing-sast)
- [Software Composition Analysis Tools](https://www.g2.com/categories/software-composition-analysis)
- [Software Supply Chain Security Solutions](https://www.g2.com/categories/software-supply-chain-security-tools)



