Big Cranium Logo White.png
TrainingHelp Center
Find the insights and best practices about our product.
General
FAQs
System & Network Requirements
Getting Started
My AI Dashboard Overview
Release Notes
2026.4.2 Release Notes
2026.4.1 Release Notes
2026.3.1 Release Notes
2026.2.2 Release Notes
2026.2.1 Release Notes
2026.1.1 Release Notes
2025.12.1 Release Notes
2025.11.1 Release Notes
2025.10.3 Release Notes
2025.10.1 Release Notes
2025.9.1 Release Notes
2025.8.1 Release Notes
2025.7.1 Release Notes
2025.4.1 Release Notes
2025.3.1 Release Notes
2025.1.1 Release Notes
2024.12.1 Release Notes
AI Manager
My AI Systems
My AI Systems Overview
AI System Details Overview
Adding a New AI System
Self-Attesting to a Compliance Framework
Compliance Scoring
Compliance Agent [Beta]
My AI Supply Chain
Supply Chain Overview
Managing Outgoing AI Card Requests
Responding to an AI Card Request
Publishing an AI Card Without a Request
My Vendors Overview
Artifacts
Bill of Materials
Bill of Materials Overview
Creating a Bill of Materials with CodeSensor
Self-Attest to a Bill of Materials
AgentSensor Overview
Technology Search Overview
Document Library
Document Library Overview
Vulnerability Management
Arena Shield
Arena Shield Overview
Shield YAML Implementation Guide
Arena
AI Arena Overview
Vulnerability Assessment
Vulnerability Management
Vulnerability Assessment Overview
Accessing a Vulnerability Assessment
Adversarial Inputs Detector
Vulnerabilities Overview
Settings
User Manager Overview
Detect AI
Integrations
Accessing a Private VCS
Registering SSH for CodeSensor
Integrating Bitbucket with Cranium
Integrating GitHub with Cranium
Integrating GitLab with Cranium
Integrating Azure DevOps with Cranium
Continuous Monitoring Overview
VCS Service Rate Limits
CloudSensor
CloudSensor Overview
Public API
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync
Rate Limits & Error Handling
Endpoint Reference
Bills of Materials
Technology Vulnerabilities
Arena Models
Arena Model Vulnerabilities
Home
Public API
Endpoint Reference
Bills of Materials
Bills of Materials

The Bills of Materials endpoint returns Cranium's representation of scanned repositories or projects across your tenant. BOMs are the anchor object for the Public API: vulnerabilities and model findings both reference a billOfMaterialsId. Use this endpoint to enumerate your AI inventory anchors and to drive correlation with the vulnerability and model enpoints.

List Bills of Materials

Returns a paginated list of Bills of Materials for the authenticated tenant.

Request:

GET /api/public/billofmaterials

Authorization:

Bearer token. See Authentication & Generating Credentials.


Query parameters:

Response record:

json

{
	"billOfMaterialsId": "guid",
	"name": "my-m1-service",
	"description": "string | null",
	"repositoryUrl": "https://github.com/org/repo",
	"vcsIntegrationName": "Our GitHub",
	"aiSystemIds": ["guid"],
	"lastScanStatus": "Completed | Failed | InProgress | NotStarted | Pending | Queued | Unscanned",
	"lastScanStatusMessage": "string" | "null",
	"totalVulnerabilitiesCount": 12,
	"totalResolvedVulnerabilitiesCount": 3,
	"modelCount": 2,
	"dataSetCount": 1,
	"technologyCount": 47,
	"infrastructureCount": 0,
	"createdDate": "2026-01-10T08:00:00Z",
	"updatedDate": "2026-04-14T15:32:00Z"
}

Field Definitions

  • billOfMaterialsId: Unique identifier for the BOM. Stable across updates. Use this value to correlate with the billOfMaterialsId field on the Technology Vulnerabilities and Arena Model Vulnerabilities endpoints.
  • name: Human-readable name of the BOM as displayed in the Cranium portal.
  • description: Free-text description of the BOM. May be null.
  • repositoryUrl: URL of the source repository associated with the BOM.
  • vcsIntegrationId: Identifier of the VCS integration used to scan the repository. Null when the BOM was scanned without a VCS integration (for example, public repositories).
  • vcsIntegrationName: Display name of the VCS integration. Null under the same conditions as vcsIntegrationId.
  • aiSystemIds: Array of AI System identifiers to which the BOM belongs. A BOM can be associated with multiple AI Systems. The array is empty when the BOM has not bee assigned to any AI System.
  • lastScanStatus: Status of the most recent scan. One of Completed, Failed, InProgress, NotStarted, Pending, Queued, Unscanned.
  • lastScanStatusMessage: Additional context about the scan status, when available. May be null.
  • totalVulnerabilitiesCount: Total number of vulnerabilities currently associated with the BOM.
  • totalResolvedVulnerabilitiesCount: Number of vulnerabilities that have been marked as resolved or ignored in the Cranium portal.
  • modelCount: Number of models detected in the BOM.
  • dataSetCount: Number of datasets detected in the BOM.
  • technologyCount: Number of technologies (packages or libraries) detected in the BOM.
  • infrastructureCount: Number of infrastructure components detected in the BOM.
  • createdDate: Timestamp at which the BOM was created. ISO 8601 format.
  • updatedDate: Timestamp at which the BOM record was last updated. ISO 8601 format. This is the field the sync cursor tracks.


Did this answer your question?
Related Articles
Arena Model Vulnerabilities
Arena Models
Technology Vulnerabilities
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync
Rate Limits & Error Handling