Overview
Use Manifests to review dependency files discovered during repository scans. A manifest represents a package manager file, lock file, or dependency source that Cysmiq uses to build dependency and SBOM data. Manifest views help you move from a dependency file to its packages, package versions, repository, policy state, and SBOM export.When to use manifests
- Find dependency files across repositories
- Review direct and transitive dependencies for a manifest
- Inspect dependency paths in a dependency tree
- Review package and manifest policy status when policies are enabled
- Export a manifest-level SBOM
- Drill into packages, repositories, or vulnerabilities from dependency data
Manifest list
The Manifests list shows manifest identity, language, type, asset, ref, package count, created date, policy status when policies are enabled, and row actions. Use the list to filter by:- Ref scope, with Default refs selected by default
- Whether a manifest has packages
- Language
- Type
- Asset
- Path
- Package, package version, or usage drilldowns opened from package views
Manifest detail view
Open a manifest to review:| Section | What it shows |
|---|---|
| Details | Path, manifest file, lock file, directory, language, type, package manager, group key when available, version when available, linked asset, and created date. |
| Direct Dependencies | Packages used directly by the manifest, including package name, version, PURL, dependency usage labels, and policy state when policies are enabled. |
| Transitive Dependencies | Packages brought in by direct dependencies, including package name, version, PURL, introducer, dependency usage labels, and policy state when policies are enabled. |
| Dependency Tree | A searchable dependency tree with expandable nodes and dependency scope controls. |
| Summary | Total packages, unique packages, direct and transitive dependency counts, production dependency counts, policy state when available, and SBOM export. |
Dependency scope
Direct dependencies, transitive dependencies, and the dependency tree include a Dependency scope control.| Scope | Meaning |
|---|---|
| Production | Shows dependencies treated as production dependencies when Cysmiq has classification data. |
| All | Shows all dependencies for the manifest. |
Policy status
When package and manifest policies are enabled, the manifest detail page can show policy state in the summary and in dependency rows. Public status labels include:- Compliant
- Violation
- Needs review
- Exception
SBOM export
Use Download SBOM on the manifest detail page to export a CycloneDX SBOM for the manifest. Available formats:- CycloneDX JSON
- CycloneDX XML