SBOMFlow Error Reference

When a command fails, SBOMFlow prints a stable error code, a one-line fix, and a link back to this page. Codes are stable — once shipped, a code's meaning never changes, so CI logs and bookmarks keep working.

This page complements EXIT_CODES.md (process exit codes for CI) and ONBOARDING.md (first-run walkthrough). If you are brand new, start with:

bash
sbomflow quickstart .      # auto-detect, scaffold config, run an offline audit
sbomflow doctor .          # report your environment + config facts

The public reference is https://sbomflow.com/docs/errors. The base URL can be overridden with the SBOMFLOW_DOCS_URL environment variable for an internal mirror; the anchors below stay the same. Air-gapped operators can run sbomflow help error <code> for the same catalog without opening a browser.


E001 — Target directory not found

Exit code: 2

Cause. The path you passed to analyze/audit does not exist.

Fix. Pass an existing product directory (your source or build tree):

bash
sbomflow audit ./my-product --output ./evidence
# or, to get going with sensible defaults:
sbomflow quickstart ./my-product

E002 — Target path is not a directory

Exit code: 2

Cause. The path exists but is a file. SBOMFlow scans a directory tree (lockfiles, manifests, SBOMs, firmware images), not a single file.

Fix. Point SBOMFlow at the product's source/build directory. To ingest a single SBOM file, scan its directory and pass the file with --import-sbom:

bash
sbomflow audit ./my-product --import-sbom ./sbom/rootfs.cdx.json --output ./evidence

E003 — Output path is not a directory

Exit code: 2

Cause. The --output path points at an existing file.

Fix. Choose a directory path for --output (it is created if missing):

bash
sbomflow audit ./my-product --output ./evidence-pack

E010 — Malformed or unknown-key configuration

Exit code: 2

Cause. sbomflow.yaml/sbomflow.json (auto-discovered in the target, or passed via --config) has a syntax error or an unrecognised key.

Fix. Validate it and let the message point at the exact problem:

bash
sbomflow validate-config ./sbomflow.yaml
sbomflow doctor .

My error isn't listed here

Most other failures are warnings (SBOMFlow warns, never silently ignores) and appear in scan-warnings.json with a stable warning key — see SIGNAL_CATALOG.md and warning_catalog. For process exit codes in CI, see EXIT_CODES.md. If a failure is unclear, run sbomflow doctor . and open an issue with the output.