# SBOM test

**Feature availability:** This feature is available to customers on Snyk Enterprise plans.

## Usage

`snyk sbom test --experimental --file=<FILE_PATH> [<options>]`

## Description

The `snyk sbom test` command checks SBOM files for vulnerabilities in open-source packages.

## Exit codes

Possible exit codes and their meaning:

**0**: success (scan completed), no vulnerabilities found\
**1**: action_needed (scan completed), vulnerabilities found\
**2**: failure, try to re-run the command

## Configure the Snyk CLI

You can use environment variables to configure the Snyk CLI and set variables for connecting with the Snyk API. See [Configure the Snyk CLI](https://docs.snyk.io/snyk-cli/configure-the-snyk-cli)

## Debug

Use the `-d` or `--debug` option to output the debug logs.

## Options

### `--experimental`

Required. Use experimental command features. This option is currently required as the command is in its experimental phase.

### `--file=<FILE_PATH>`

Required. Specify the file path of the SBOM document.

The `snyk sbom test` command accepts the following file formats:

- **CycloneDX:** JSON version 1.4, 1.5 and 2.0
- **SPDX:** JSON version 2.3 and 2.3.1

Packages and components within the provided SBOM file must be identified by a PackageURL (purl).

Supported purl types are: `apk`, `deb`, `cargo`, `cocoapods`, `composer`, `gem`, `generic`, `golang`, `hex`, `maven`, `npm`, `nuget`, `pypi`, `rpm`, `swift`.

Example: `$ snyk sbom test --experimental --file=bom.cdx.json`

### `--json`

Print results on the console as a JSON data structure.

Example: `$ snyk sbom test --experimental --file=bom.cdx.json --json`