QSBOM

What is QSBOM?

QSBOM creates quantum-safe build attestations for your software supply chain. It hashes your SBOM and build artifacts with SHA3-256, computes a Merkle Root, and stamps it on QAN Blockchain.

You get a tamper-proof, verifiable record that your build is exactly what you shipped. Useful for NIS2 compliance, supply chain security, and audit trails.

How it works

1. You send your SBOM + build artifacts (or pre-computed hashes) to sbom.qverax.eu
2. QSBOM hashes everything with SHA3-256, computes a Merkle Root
3. The Merkle Root is stamped on QAN Blockchain
4. You get back a build_hash for verification
5. To verify: re-submit the same data — same inputs produce the same hash

You never interact with the blockchain. Our relayer handles all on-chain transactions. You only need a free API key from portal.qverax.eu — no wallet, no credit card.

API Keys

Attestation requires a QPORTAL API key in the X-Api-Key header. Verification stays free.

1. Go to portal.qverax.eu and sign in with your email
2. Generate a key (give it a label like GitHub Actions)
3. Copy the key once — it looks like qvx_... and won't be shown again
4. Store it as a CI/CD secret (e.g. QVERAX_API_KEY in GitHub Actions)

When the quota is exhausted, /attest returns 402 Payment Required with an upgrade link.

Quick Start — curl

# Attest with SBOM + artifacts
curl -X POST https://sbom.qverax.eu/attest/upload \
  -H "X-Api-Key: $QVERAX_API_KEY" \
  -F "project=acme/payment-service" \
  -F "version=v2.4.1" \
  -F "git_commit=a3f7b2c" \
  -F "sbom=@sbom.cdx.json" \
  -F "artifacts=@dist/app.tar.gz" \
  -F "memo=Release v2.4.1"

# Attest with pre-computed hashes (no file upload)
curl -X POST https://sbom.qverax.eu/attest \
  -H "X-Api-Key: $QVERAX_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "project": "acme/payment-service",
    "version": "v2.4.1",
    "git_commit": "a3f7b2c9",
    "artifact_hashes": {
      "app-linux-amd64": "<sha3-256>",
      "app-darwin-arm64": "<sha3-256>"
    }
  }'

GitHub Actions

Full workflow — generates SBOM, attests build, shows result in job summary. Add your API key as repository secret QVERAX_API_KEY (Settings → Secrets → Actions).

# .github/workflows/qsbom.yml
name: QSBOM Build Attestation
on:
  push:
    branches: [main]

jobs:
  attest:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4

      - name: Generate SBOM (optional)
        uses: anchore/sbom-action@v0
        with:
          format: cyclonedx-json
          output-file: sbom.json

      - name: Attest Build
        env:
          QVERAX_API_KEY: ${{ secrets.QVERAX_API_KEY }}
        run: |
          HTTP_CODE=$(curl -s -w "%{http_code}" \
            -o /tmp/qsbom.json \
            -X POST https://sbom.qverax.eu/attest/upload \
            -H "X-Api-Key: $QVERAX_API_KEY" \
            -F "project=${{ github.repository }}" \
            -F "version=${{ github.ref_name }}" \
            -F "git_commit=${{ github.sha }}" \
            -F "memo=Release ${{ github.ref_name }}" \
            -F "sbom=@sbom.json")

          cat /tmp/qsbom.json | python3 -m json.tool

          if [ "$HTTP_CODE" = "200" ] || \
             [ "$HTTP_CODE" = "201" ]; then
            BUILD_HASH=$(python3 -c "import json; \
              print(json.load(open('/tmp/qsbom.json'))\
              .get('build_hash',''))")
            echo "BUILD_HASH=$BUILD_HASH" >> $GITHUB_ENV
            echo "## QSBOM Attestation" \
              >> $GITHUB_STEP_SUMMARY
            echo "- **Hash:** \`$BUILD_HASH\`" \
              >> $GITHUB_STEP_SUMMARY
            echo "- **Verify:** https://sbom.qverax.eu\
/verify/$BUILD_HASH" >> $GITHUB_STEP_SUMMARY
          else
            echo "::warning::QSBOM: HTTP $HTTP_CODE"
          fi

      # Optional: annotate commit with build hash
      - name: Git Notes
        if: env.BUILD_HASH != ''
        run: |
          git config user.name "github-actions[bot]"
          git config user.email \
            "github-actions[bot]@users.noreply.github.com"
          git fetch origin "refs/notes/*:refs/notes/*" \
            || true
          git notes add -m "qsbom: $BUILD_HASH" \
            ${{ github.sha }} || \
            git notes append -m "qsbom: $BUILD_HASH" \
            ${{ github.sha }}
          git push origin refs/notes/commits || true

Verify

# Check if hash exists on-chain
curl https://sbom.qverax.eu/verify/<build_hash>

# Or re-submit the same data to re-compute and verify
curl -X POST https://sbom.qverax.eu/verify \
  -H "Content-Type: application/json" \
  -d '{"project":"acme/my-app","version":"v2.4.1",
       "artifact_hashes":{"app":"..."}}'

Example Response

{
  "status": "attested",
  "build_hash": "428cc8382ee36dc1...a5db2bb",
  "tx_hash": "0x8929de53f4654895...18f63b",
  "block_number": 597943,
  "stamped_at": "2026-03-12T22:03:38+00:00",
  "verify_url": "https://sbom.qverax.eu/verify/428cc83...",
  "sbom": { "format": "CycloneDX", "components": 142 },
  "artifact_count": 3
}

Save your build hash

No data is stored on our servers. Save the build_hash for instant future verification:

• Git Notes — git notes add -m "qsbom: $HASH" — visible via git log --show-notes
• Release Notes — include hash + verify URL in your GitHub Release

Even without the hash, you can always re-verify by re-submitting the same data.

Memo

Optional plaintext stored in the blockchain transaction (visible on the block explorer). Use for labels like "Release v2.4.1". Do not include confidential information.

Supported SBOM Formats

API Reference

On 401 Unauthorized → key is missing or invalid. On 402 Payment Required → monthly quota exhausted, upgrade at portal.qverax.eu.

NIS2 Compliance