Skip to content
Latchkey

grype "unable to decode sbom" consuming an SBOM in CI

grype was asked to scan an SBOM but could not decode it. Either the file is not a format grype recognizes, or you passed a path without the sbom: scheme so grype tried to treat it as an image.

What this error means

grype fails with "unable to decode sbom" or "unable to determine source" when given an SBOM file path, instead of listing vulnerabilities.

grype
grype sbom.json
1 error occurred:
    * unable to decode sbom: unable to identify format

Common causes

Missing the sbom: scheme prefix

A bare path is interpreted as an image reference. grype needs sbom:./file.json to read the SBOM instead of trying to pull an image.

An unsupported or corrupted SBOM format

grype reads Syft JSON, SPDX, and CycloneDX. A truncated file, a non-SBOM JSON, or an unexpected schema version fails to decode.

How to fix it

Use the sbom: scheme

  1. Prefix the file with sbom: so grype parses it as an SBOM.
  2. Confirm the file is valid JSON and non-empty first.
  3. Re-run to get the vulnerability match table.
Terminal
grype sbom:./sbom.json --fail-on high

Regenerate the SBOM in a supported format

If decode still fails, regenerate with syft in a format grype reads natively, then rescan.

Terminal
syft dir:. -o cyclonedx-json=sbom.json
grype sbom:./sbom.json

How to prevent it

  • Always pass SBOMs to grype with the sbom: scheme.
  • Standardize on one SBOM format across generation and scanning.
  • Validate SBOM JSON before it flows into a scan step.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →