Safeguard Documentation Center
Enterprise Software Supply Chain Manager (ESSCM)IntegrationsFile Uploads

Manifest File Upload

Upload package manifest files for SBOM generation

Manifest File Upload

Upload package manifest files directly to Safeguard for SBOM generation without connecting to a source code repository.

Supported Manifest Files

JavaScript/Node.js

FileDescription
package.jsonnpm package manifest
package-lock.jsonnpm lock file (recommended)
yarn.lockYarn lock file
pnpm-lock.yamlpnpm lock file

Python

FileDescription
requirements.txtpip requirements
PipfilePipenv manifest
Pipfile.lockPipenv lock file (recommended)
pyproject.tomlModern Python projects
poetry.lockPoetry lock file
setup.pyLegacy setup file

Java

FileDescription
pom.xmlMaven project file
build.gradleGradle build file
build.gradle.ktsKotlin Gradle build
gradle.lockfileGradle lock file

.NET

FileDescription
*.csprojC# project file
packages.configNuGet packages
*.deps.json.NET dependencies
Directory.Packages.propsCentral package management

Ruby

FileDescription
GemfileBundler manifest
Gemfile.lockBundler lock file (recommended)

PHP

FileDescription
composer.jsonComposer manifest
composer.lockComposer lock file (recommended)

Go

FileDescription
go.modGo modules file
go.sumGo checksum file (recommended)

Rust

FileDescription
Cargo.tomlCargo manifest
Cargo.lockCargo lock file (recommended)

Upload Workflow

Step 1: Navigate to Integrations

Go to Integrations from the sidebar and filter by Upload.

Step 2: Select Manifest Upload

Click Connect on the Upload Manifest File card.

Step 3: Upload File(s)

  1. Enter a Name for this upload
  2. Optionally add a Description
  3. Drag and drop your manifest file(s), or click Browse to select
  4. You can upload multiple files (e.g., both package.json and package-lock.json)

Step 4: Configure Project

  1. Set the Project Name
  2. Set the Version
  3. Click Upload to begin scanning

Why Upload Lock Files?

Lock files provide more precise dependency information:

AspectManifest OnlyManifest + Lock File
Direct dependencies
Transitive dependenciesResolved at scan timeExact versions
ReproducibilityMay varyExact match
Version rangesResolved to latestLocked versions

Recommendation: Always upload both the manifest and lock file when available.

Multiple Files Upload

You can upload multiple related files together:

Example: Node.js Project

├── package.json
└── package-lock.json

Example: Python Project

├── requirements.txt
├── requirements-dev.txt
└── pyproject.toml

Example: Monorepo

├── package.json
├── package-lock.json
├── packages/
│   ├── app-a/package.json
│   └── app-b/package.json

Troubleshooting

"Unsupported file format"

  • Verify the file is a supported manifest type
  • Check the file extension matches the format
  • Ensure the file contains valid syntax

"No dependencies found"

  • The manifest file may be empty or invalid
  • Check that dependencies are properly declared
  • Some files may only contain metadata

"Version resolution failed"

  • Some version ranges may not resolve
  • Try uploading a lock file with exact versions
  • Private package references may not resolve

Best Practices

  • Upload lock files - Provides more accurate dependency information
  • Include all manifests - Upload all related manifest files together
  • Regular updates - Re-upload when dependencies change
  • Use exact versions - Avoid wide version ranges in manifests

APK Upload

Upload Android APK files for scanning

Explore SBOM

Analyze and understand your Software Bill of Materials

On this page

Manifest File UploadSupported Manifest FilesJavaScript/Node.jsPythonJava.NETRubyPHPGoRustUpload WorkflowStep 1: Navigate to IntegrationsStep 2: Select Manifest UploadStep 3: Upload File(s)Step 4: Configure ProjectWhy Upload Lock Files?Multiple Files UploadExample: Node.js ProjectExample: Python ProjectExample: MonorepoTroubleshooting"Unsupported file format""No dependencies found""Version resolution failed"Best Practices