Platform Platform Overview Runtime Detection SBOM & SCA Container Scanning Supply Chain Integrations Pricing Docs Blog
Sign in Start Free Trial

SBOM & SCA

Fix the CVEs that are actually reachable at runtime.

Runtimekindle generates CycloneDX-format SBOMs from your CI pipeline and correlates every CVE finding with runtime reachability data — so your engineers stop triaging vulnerabilities in libraries that never load in production.

Start Free Trial Read SBOM Guide
SBOM generation and SCA correlation flow showing CI pipeline producing CycloneDX SBOM, correlated with CVE database and runtime reachability data

SBOM Generation

From CI run to CycloneDX SBOM in under 30 seconds

One-step CI integration

Add the Runtimekindle GitHub Action or GitLab CI step to your pipeline. It scans your build environment, generates a CycloneDX 1.5 SBOM, and uploads it to the control plane — under 20 lines of YAML, no custom scripting required.

CycloneDX 1.5 format

Exports comply with CycloneDX 1.5 specification — the format required by most enterprise procurement and compliance teams. Includes component hashes, license identifiers, and VEX (Vulnerability Exploitability eXchange) annotations.

Runtime reachability correlation

The eBPF agent tracks which libraries are loaded at runtime. CVEs in packages that are never loaded get deprioritized automatically — reducing your actionable findings list by up to 70% without manual triage.

Audit-ready SBOM exports

One-click export of the SBOM for any build artifact, tagged with build date, commit SHA, and signer identity. Accepted by enterprise security teams as evidence for SOC 2, FedRAMP-adjacent, and vendor questionnaire responses.

SCA Correlation

License risk detection alongside CVE triage

Runtimekindle's SCA layer scans every dependency for both CVE risk and license compliance risk — surfacing GPL-3.0 and AGPL-3.0 inclusions that trigger commercial restrictions before your legal team finds them in a vendor audit.

License classification

Classifies every dependency license as Permissive, Weak Copyleft, Strong Copyleft, or Non-OSI. Flags GPL-3.0, AGPL-3.0, and SSPL dependencies that require disclosure or may conflict with your commercial terms.

Prioritized CVE backlog

Each CVE in your SBOM gets a reachability score: Reachable (loaded at runtime), Reachable in test only, or Not reachable. Engineers get a prioritized list — fix the top 10, not the top 200.

Stop triaging CVEs that don't matter.

Generate your first SBOM from CI in under 30 minutes. No code changes required.

Start Free Trial Talk to Yael