Codenotary's Free SBOM Service Tackles the AI Software Supply Chain

Just because AI is writing your code doesn’t mean you can stop worrying about software bills of materials.

While the quality of AI coding remains open to debate, there’s no question that everyone and their dog is using it. That means, if you’re serious about using AI in production, you must track its code in a Software Bill of Materials (SBOM). Don’t believe me? Just try to sell your program in the European Union (EU) now that the Cyber Resilience Act (CRA) is taking effect.

That’s why Codenotary’s extension of its free SBOM.sh service with new capabilities aimed squarely at tracking the fast‑growing but opaque AI software supply chain is a big deal. This service treats datasets and models as first‑class supply chain artifacts rather than afterthoughts. Codenotary positions this as an evolution of the SBOM concept to reflect how AI‑native systems are actually built, deployed, and run in production.

Codenotary’s SBOM.sh is a free, cloud‑based service for creating, storing, analyzing, and sharing SBOM. You use it by uploading SBOM JSON files, and you get back a unique URL that can be used to retrieve and share that SBOM at any time via a browser or command‑line tools such as cURL. It supports the standard SBOM formats CycloneDX and System Package Data Exchange (SPDX). These can then be included in development pipelines via container images, filesystems, and Git repositories, using companion tools and GitHub Actions.

At the heart of the release is the idea that the data used to train and run models is part of the software supply chain and deserves the same scrutiny as libraries and containers. By treating datasets as artifacts, the company says SBOM.sh can help organizations close a critical visibility gap affecting governance, regulatory compliance, and risk management for AI workloads.

Moshe Bar, Codenotary’s CEO and co-founder, in a statement, said, “Traditional SBOM tools were built for an earlier era – focusing primarily on source code to improve visibility into the software supply chain. Security teams are swimming in SBOMs, but they’re not getting the actionable clarity they need, especially as AI transforms software with AI applications built on datasets, which are entirely ignored by traditional SBOMs.”

To deal with this, Codenotary’s expanded service introduces several AI‑specific capabilities designed to support audits and emerging regulations:

Data provenance and governance: SBOM.sh documents dataset sources, associated licensing terms, and governance controls to help reduce exposure from improperly sourced or governed data. You can then use this information to demonstrate data handling practices during audits or regulatory reviews.
Model lineage and training transparency: The service captures metadata about base model origins, fine‑tuning history, version identifiers, and update paths, building a traceable record of how models evolve over time.
Inference operations and integrations: SBOM.sh provides visibility into inference endpoints, access controls, runtime integrations, and monitoring hooks, showing how models are actually invoked in production environments.
Ownership and accountability: Ownership and approval context are embedded across AI artifacts to clarify who is responsible for particular datasets, models, and operational components.

Put it all together, and Codenotary claims these additions transform what has often been a static SBOM snapshot into a “living, behavioral inventory” of AI data, models, and operations.

Despite the new AI‑centric capabilities, SBOM.sh remains a free service that developers, DevOps teams, and security organizations can use to upload, analyze, and share SBOMs alongside their AI-powered software supply chain data. The web‑based, API‑driven service is designed to operate at scale and to integrate with existing CI/CD pipelines and workflows.

Codenotary says its broader platform is already used by hundreds of customers worldwide, including major banks, governments, and defense organizations, to protect the software development lifecycle with integrity verification and tamper detection. The company also emphasizes its use of advanced AI models to recognize attack patterns in modern software pipelines. This should appeal to any enterprise struggling to bring AI under the same governance umbrella as the rest of its software.

If this AI-savvy SBOM.sh delivers on its promises, it could become a key piece of infrastructure for teams trying to answer a deceptively simple question that regulators, customers, and boards alike are now asking: “What exactly is inside your AI code?”