Packages

After switching to the Packages view, you can review all packages discovered in your repository during scans. Use this view to quickly identify packages that need attention due to vulnerabilities or license risk.

What you can do

• Filter results
• Vulnerability Status - Narrow the list based on whether packages have known vulnerabilities (and their current status in your workflow).
• License Risk - Narrow the list based on license risk level so you can prioritize packages that may require review or replacement.
• Search
• Search by package name (for example, lodash)
• Search by version (for example, 4.17.21)
• Search by CVE (for example, CVE-2021-23337)

Custom Labels

Custom Labels let you add customer-specific metadata to components in your SBOM reports. This is especially useful for fields that typically do not exist in package ecosystems, but are required for internal governance or regulatory reporting (for example, CERT-In).

Common SBOM fields you can capture with labels

• Component description - add a short description via a label.
• End-of-life (EOL) date - since EOL is not consistently published in registries, track it explicitly with a Date type label.
• Criticality - environment-specific importance (for example, internet-facing, production-only) captured with a label.

Create a label

Create custom labels and choose a value type that matches how you want teams to apply it:

• Text - free-form notes such as a description, owner, ticket link, or justification
• Date - time-bound fields such as EOL dates and scheduled reviews
• Dropdown - controlled values such as criticality levels or yes/no fields

Value types available for labels: Text, Date, and Dropdown

Here is an example of a Dropdown label:

Attach labels to packages

After clicking Add, you can attach the newly created label to a package:

You can view attached labels by clicking the Labels badge next to the package name: