Quickstart
This is the shortest path from no Quaze account to seeing your first findings on a real SBOM. We start in the app for the first run, then show the API flow once you are ready to automate.
1. Create an account
Section titled “1. Create an account”Go to app.quaze.io/signup and create an account. The Free plan is enough for this walkthrough.
2. Create a product and a component
Section titled “2. Create a product and a component”In the app, create a product (the unit of software you ship — for example my-service). Inside it, create a component (typically one service, library, or image you build).
The product and component are the parents your SBOMs hang off. You can create as many components as you need; the simplest setup is one product with one component.
If you prefer to do this from the API, see Create a component.
3. Upload your first SBOM (app)
Section titled “3. Upload your first SBOM (app)”In the app, open the component and use Upload SBOM. Drag in a CycloneDX or SPDX SBOM file, set the version (for example 1.0.0), and submit.
If you do not have an SBOM lying around, generate one with Trivy in a minute or two.
4. View findings
Section titled “4. View findings”Quaze ingests the SBOM and produces findings within a minute or two. Open the component or product page in the app to see them. Each finding shows the affected component version, the CVE, severity, and any environments the affected version is running in.
5. Automate it
Section titled “5. Automate it”Once the first SBOM is in, wire the upload into your CI so every release is monitored automatically.
a. Create an API token
Section titled “a. Create an API token”The organization owner can create API tokens from the app under Manage organization → API tokens → Create token. Copy the value once — it is only shown at creation. Tokens start with qzat_ and go in the Authorization header, with no Bearer prefix. The full reference is in the API overview.
b. Note the IDs
Section titled “b. Note the IDs”Note your productId and componentId from the app. Both are UUIDs; you will pass them with every SBOM upload.
c. Upload via the API
Section titled “c. Upload via the API”Uploading from CI is a two-step flow: request a presigned URL, then PUT the SBOM bytes to it.
# Step 1: request the upload URLresponse=$(curl -fsS -X POST https://api.quaze.io/v1/upload-sbom \ -H "Authorization: $QUAZE_API_TOKEN" \ -H "Content-Type: application/json" \ -d "{ \"productId\": \"$PRODUCT_ID\", \"componentId\": \"$COMPONENT_ID\", \"version\": \"$VERSION\", \"fileName\": \"sbom.cdx.json\" }")
presigned_url=$(printf '%s' "$response" | jq -r .presignedUrl)
# Step 2: upload the SBOM bytescurl -fsS -X PUT "$presigned_url" --upload-file sbom.cdx.jsonFull details and request/response schema: Upload an SBOM.
Next steps
Section titled “Next steps”- Wire SBOM generation in CI with the Trivy guide.
- Learn how Quaze models products, releases, and environments.
- Bundle component versions into a release snapshot.
- Tell Quaze which release is live in which environment with Deploy to environment or Import release to environment.