grype "unable to decode sbom" consuming an SBOM in CI
grype was asked to scan an SBOM but could not decode it. Either the file is not a format grype recognizes, or you passed a path without the sbom: scheme so grype tried to treat it as an image.
What this error means
grype fails with "unable to decode sbom" or "unable to determine source" when given an SBOM file path, instead of listing vulnerabilities.
grype sbom.json
1 error occurred:
* unable to decode sbom: unable to identify formatCommon causes
Missing the sbom: scheme prefix
A bare path is interpreted as an image reference. grype needs sbom:./file.json to read the SBOM instead of trying to pull an image.
An unsupported or corrupted SBOM format
grype reads Syft JSON, SPDX, and CycloneDX. A truncated file, a non-SBOM JSON, or an unexpected schema version fails to decode.
How to fix it
Use the sbom: scheme
- Prefix the file with
sbom:so grype parses it as an SBOM. - Confirm the file is valid JSON and non-empty first.
- Re-run to get the vulnerability match table.
grype sbom:./sbom.json --fail-on highRegenerate the SBOM in a supported format
If decode still fails, regenerate with syft in a format grype reads natively, then rescan.
syft dir:. -o cyclonedx-json=sbom.json
grype sbom:./sbom.jsonHow to prevent it
- Always pass SBOMs to grype with the
sbom:scheme. - Standardize on one SBOM format across generation and scanning.
- Validate SBOM JSON before it flows into a scan step.