Every SBOM, organized, diffable, searchable.
SBOMs generated in CI end up as build artifacts nobody can query. ReARM attaches every SBOM and xBOM to the release that produced it, per component and per product.
Not a bucket of JSON files
Every SBOM and xBOM is versioned and tied to the release that produced it, per component and per product. Ask for any shipped version's bill of materials and get it in one click.
What changed between 1.2 and 1.3? Two answers, same release pair.
Dependency delta: every new release is automatically diffed against its predecessor as it lands. Continuous, not on-request; any two versions diffable on demand, at component and product level. Code delta: auto-generated changelogs from the commits between the two releases, shown alongside the SBOM diff. Releases are versioned automatically per your org's version schema; no manual bumping.
Where do we run log4j 2.14?
Answered portfolio-wide in seconds, across every product and every shipped version. Not just the latest build: everything you have ever released.
HBOMs, VDRs, attestations, anything
Arbitrary artifacts attach to releases with the same organization and the same roll-up. If it is evidence, it has a place in the hierarchy.
Serve SBOMs downstream
Distribute SBOMs and artifacts to downstream consumers via TEA. Customers, authorities, and program offices pull from the same organized source.