> ## Documentation Index
> Fetch the complete documentation index at: https://docs.binarly.io/llms.txt
> Use this file to discover all available pages before exploring further.

# CBOM (Cryptographic Bill of Materials)

> Export a Cryptographic Bill of Materials (CBOM) to inventory all cryptographic algorithms, certificates, and keys discovered in a scanned image.

A Cryptographic Bill of Materials (CBOM) is a structured inventory of all cryptographic materials discovered within a scanned binary image. BTP generates CBOMs in [CycloneDX](https://cyclonedx.org/) JSON format - an open standard for describing software and cryptographic assets in supply chains.

## What Is Included

A BTP-generated CBOM includes:

* **Cryptographic algorithms** - all detected implementations with class identifier, parameters, and location within the image
* **Protocols** - detected SSL/TLS protocol versions
* **Certificates** - X.509 certificates with issuer, subject, validity period, signature algorithm, and key parameters
* **Keys** - cryptographic key material with key type and size
* **Component references** - binary component within the image where each material was found

## Generating a CBOM

<Steps>
  <Step title="Locate the image">
    Navigate to the product view and find the image you want to export.
  </Step>

  <Step title="Download the CBOM">
    Click the **CBOM** feature tag in the image grid row, or open the action menu and select **Download CBOM**.

    From the image detail view, **Download CBOM** is also available in the action menu.
  </Step>

  <Step title="Use the CycloneDX JSON file">
    The downloaded file is a CycloneDX JSON document ready for use in compliance tooling, automated pipelines, or manual review.
  </Step>
</Steps>

## Relationship to SBOM

The CBOM complements the SBOM by focusing on cryptographic materials rather than software components:

|              | SBOM                              | CBOM                                       |
| ------------ | --------------------------------- | ------------------------------------------ |
| **Tracks**   | Libraries, packages, dependencies | Algorithms, certificates, keys             |
| **Format**   | CycloneDX or SPDX                 | CycloneDX                                  |
| **Use case** | Software composition analysis     | Cryptographic compliance and PQC readiness |

## Post-Quantum Readiness

The CBOM provides an inventory of quantum-vulnerable algorithms (RSA, ECDSA, DSA, ECDH) for migration planning per NIST IR 8547. For compliance-focused reporting with per-algorithm migration guidance, see the [PQC Compliance Report](/user-guides/export/pqc).

## Programmatic Access

* [CBOM Report API](/api-reference/report/cbom-report) - Endpoint reference
* [Compliance Artifacts](/api-reference/use-cases/compliance-artifacts) - Automation scripts

## Related

* [Cryptographic Materials Tab](/user-guides/image-scans/cryptographic-materials)
* [Algorithm Compliance Reference](/resource-center/algorithm-compliance)
* [PQC Compliance Report](/user-guides/export/pqc)