TrustBOM

Trusted Delivery and Verification

TrustBOM

TrustBOM enables teams to deliver software artifacts in a trustworthy and verifiable way, so recipients can review integrity and security posture independently.

Understanding TrustBOM

Understanding the core concepts behind delivery, verification, and audit evidence makes TrustBOM much easier to use effectively.

What Is an SBOM?

An SBOM is a list of the libraries, packages, and frameworks contained in a software product. In supply chain security, it becomes the starting point for identifying what is present and tracking vulnerabilities or license issues.

CycloneDX

SPDX

Supports international SBOM formats

What Is Digital Signing?

Digital signing helps prove that the delivered file came from the expected sender and was not tampered with in transit.

What Are External Verification Logs?

These are records that preserve verification evidence from the signing process so third parties can independently validate trust after delivery.

What TrustBOM Solves

Instead of relying on fragile delivery methods such as email or USB drives, TrustBOM lets teams manage delivery and verification through controlled secure links and continue monitoring security posture after handoff.

Signing and Share Link Creation

A step-by-step setup handles signing and share link creation together. The complete trust evidence the recipient needs is delivered in a single secure link.

Select Project

Select a project: choose the delivery target from projects registered in Security Advisory.

Confirm Supplier Info

Confirm supplier information: review the company and contact details that recipients will see.

Set Trust Policy

Optional

Set Trust Policy: optionally declare the security expectations for the recipient to acknowledge.

Configure Signing and Protection

Configure signing and link protection: set the signing approach and access controls for the share link.

Create Share Link

Complete link creation: the necessary trust evidence and secure share link are prepared together.

Managing TrustObjects

Manage signed artifacts version by version and keep both the delivery record and current security posture up to date.

Track the signing status and integrity verification result of each artifact by version. Even after delivery, receive alerts when new vulnerabilities are discovered to keep security monitoring active.

The artifact detail view brings together security assessment results, integrity verification evidence, discovered vulnerabilities, and the original SBOM in a single place.

Post-Delivery Vulnerability Monitoring

Enable monitoring to keep receiving alerts when new vulnerabilities are discovered after delivery. This helps teams stay aware of security posture changes throughout the entire software lifecycle.

Certificate Management (TrustCert)

A TrustCert is a digital identity object representing the supplier and its verification evidence. Registered certificates are used as trust evidence during signing, and multiple certificates can be maintained for different purposes.

• Supplier name

• Email

• Signing method

• Validity period

Certificate Revocation Warning

Revoking a certificate can also disable dependent share links, so teams should review impact and notify recipients before proceeding.

Review all generated share links in one place and manage them with actions such as copying, generating QR codes, disabling, and deleting.

Copy link

Generate QR code

Toggle active state

Delete permanently

External Recipient Verification

Recipients can verify integrity and security information directly in the browser without requiring a Hexamind account.

Open Link and Complete Verification

Open the link and complete access verification using the configured method.

Review Security Information

Review security analysis results, trust verification records, version comparison, and available downloads in one view.

Refresh Vulnerability Data

Optional

Refresh vulnerability data whenever updated information is needed.

How to Interpret the Security Score

Higher grades suggest a more manageable state, while lower grades indicate a stronger need for remediation. Final interpretation should still consider vulnerability type and operational context.

Getting Started

Hexamind AI

TrustBOM

Trusted Delivery and Verification

TrustBOM

TrustBOM enables teams to deliver software artifacts in a trustworthy and verifiable way, so recipients can review integrity and security posture independently.

Understanding TrustBOM

Understanding the core concepts behind delivery, verification, and audit evidence makes TrustBOM much easier to use effectively.

What Is an SBOM?

CycloneDX

SPDX

Supports international SBOM formats

What Is Digital Signing?

Digital signing helps prove that the delivered file came from the expected sender and was not tampered with in transit.

What Are External Verification Logs?

These are records that preserve verification evidence from the signing process so third parties can independently validate trust after delivery.

What TrustBOM Solves

Signing and Share Link Creation

A step-by-step setup handles signing and share link creation together. The complete trust evidence the recipient needs is delivered in a single secure link.

Select Project

Select a project: choose the delivery target from projects registered in Security Advisory.

Confirm Supplier Info

Confirm supplier information: review the company and contact details that recipients will see.

Set Trust Policy

Optional

Set Trust Policy: optionally declare the security expectations for the recipient to acknowledge.

Configure Signing and Protection

Configure signing and link protection: set the signing approach and access controls for the share link.

Create Share Link

Complete link creation: the necessary trust evidence and secure share link are prepared together.

Managing TrustObjects

Manage signed artifacts version by version and keep both the delivery record and current security posture up to date.

Track the signing status and integrity verification result of each artifact by version. Even after delivery, receive alerts when new vulnerabilities are discovered to keep security monitoring active.

The artifact detail view brings together security assessment results, integrity verification evidence, discovered vulnerabilities, and the original SBOM in a single place.

Post-Delivery Vulnerability Monitoring

Enable monitoring to keep receiving alerts when new vulnerabilities are discovered after delivery. This helps teams stay aware of security posture changes throughout the entire software lifecycle.

Certificate Management (TrustCert)

• Supplier name

• Email

• Signing method

• Validity period

Certificate Revocation Warning

Revoking a certificate can also disable dependent share links, so teams should review impact and notify recipients before proceeding.

Review all generated share links in one place and manage them with actions such as copying, generating QR codes, disabling, and deleting.

Copy link

Generate QR code

Toggle active state

Delete permanently

External Recipient Verification

Recipients can verify integrity and security information directly in the browser without requiring a Hexamind account.

Open Link and Complete Verification

Open the link and complete access verification using the configured method.

Review Security Information

Review security analysis results, trust verification records, version comparison, and available downloads in one view.

Refresh Vulnerability Data

Optional

Refresh vulnerability data whenever updated information is needed.

How to Interpret the Security Score

Higher grades suggest a more manageable state, while lower grades indicate a stronger need for remediation. Final interpretation should still consider vulnerability type and operational context.

Getting Started

Hexamind AI

TrustBOM

TrustBOM enables teams to deliver software artifacts in a trustworthy and verifiable way, so recipients can review integrity and security posture independently.

Understanding TrustBOM

What Is an SBOM?

What Is Digital Signing?

What Are External Verification Logs?

Signing and Share Link Creation

Select Project

Confirm Supplier Info

Set Trust Policy

Configure Signing and Protection

Create Share Link

Managing TrustObjects

Certificate Management (TrustCert)

Shared Link Management

External Recipient Verification

Open Link and Complete Verification

Review Security Information

Refresh Vulnerability Data

TrustBOM

TrustBOM enables teams to deliver software artifacts in a trustworthy and verifiable way, so recipients can review integrity and security posture independently.

Understanding TrustBOM

What Is an SBOM?

What Is Digital Signing?

What Are External Verification Logs?

Signing and Share Link Creation

Select Project

Confirm Supplier Info

Set Trust Policy

Configure Signing and Protection

Create Share Link

Managing TrustObjects

Certificate Management (TrustCert)

Shared Link Management

External Recipient Verification

Open Link and Complete Verification

Review Security Information

Refresh Vulnerability Data