# Pipeline Bill of Materials

The Pipeline Bill of Materials (PBOM) tab provides end-to-end visibility into how the artifact moved through the software supply chain.

It shows all stages from source control to cloud deployment, helping you visualize traceability, security posture, and operational context.

<figure><img src="/files/fYwoxlfCcYcmqwaIa7x1" alt=""><figcaption></figcaption></figure>

<table><thead><tr><th width="211">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Git Posture</strong></td><td>Indicates if Git-based configuration risks were detected.</td></tr><tr><td><strong>Code Security</strong></td><td>Whether the source code was scanned for vulnerabilities.</td></tr><tr><td><strong>Secret/PII Scan</strong></td><td>Flags whether any hardcoded secrets or sensitive data were detected.</td></tr><tr><td><strong>Open Source Security</strong></td><td>Highlights any third-party component risks.</td></tr><tr><td><strong>SBOM</strong></td><td>Indicates whether a Software Bill of Materials is available.</td></tr><tr><td><strong>Infrastructure as Code Scan</strong></td><td>Shows whether IaC security scanning was performed.</td></tr><tr><td><strong>CI/CD Posture</strong></td><td>Reports security checks and hygiene at the pipeline level.</td></tr><tr><td><strong>Container Security</strong></td><td>Indicates scanning results for container vulnerabilities.</td></tr><tr><td><strong>API Security</strong></td><td>Displays any detected API-related risks.</td></tr><tr><td><strong>Artifact Integrity</strong></td><td>Verifies whether the artifact has been tampered with across stages.</td></tr><tr><td><strong>Cloud Context</strong></td><td>Number of environments or accounts where the artifact was observed.</td></tr></tbody></table>

In addition, the PBOM visual map shows:

* **Source Control**: The Git repository where the code originated.
* **CI/CD**: Pipeline used to build and package the artifact.
* **Registry**: Storage location of the built image.
* **Cloud Deployment**: Cloud accounts and services where the artifact is deployed (e.g., AWS, GCP).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ox.security/inventory-with-ox-bom/artifact-bom/pipeline-bill-of-materials.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.