Authenticate to the Orca API using your API token in the Authorization: Token YOUR_TOKEN header.
Use the Orca API or console to trigger an SBOM export for a specific asset type (container image, virtual machine, or serverless function) by specifying asset filters in the request body.
Retrieve the scheduled or on-demand SBOM report in SPDX, CycloneDX, or JSON format via the reports endpoint; check the report's status field before downloading.
Download the completed SBOM file using the download URL returned in the report metadata response.
Use the SBOM output to feed downstream vulnerability scanning pipelines (e.g., Grype) or compliance tooling that requires a package inventory.
Schedule recurring SBOM exports through Orca's report scheduler and configure delivery to a cloud storage bucket or email destination via the integration settings.
Known gotchas
Orca generates SBOMs from agentless snapshot scans; the SBOM reflects the state of the workload at the last scan time, not real-time package state.
SBOM export format availability (SPDX, CycloneDX) may depend on your Orca licensing tier; verify format support in your tenant before building automation around a specific format.
Large SBOM exports for environments with many workloads may require polling for completion rather than expecting a synchronous response.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp