SBOMFlow Error Reference
When a command fails, SBOMFlow prints a stable error code, a one-line fix, and a link back to this page. Codes are stable — once shipped, a code's meaning never changes, so CI logs and bookmarks keep working.
This page complements EXIT_CODES.md (process exit codes for CI) and ONBOARDING.md (first-run walkthrough). If you are brand new, start with:
sbomflow quickstart . # auto-detect, scaffold config, run an offline audit
sbomflow doctor . # report your environment + config factsThe public reference is https://sbomflow.com/docs/errors. The base URL can be overridden with the SBOMFLOW_DOCS_URL environment variable for an internal mirror; the anchors below stay the same. Air-gapped operators can run sbomflow help error <code> for the same catalog without opening a browser.
E001 — Target directory not found
Exit code: 2
Cause. The path you passed to analyze/audit does not exist.
Fix. Pass an existing product directory (your source or build tree):
sbomflow audit ./my-product --output ./evidence
# or, to get going with sensible defaults:
sbomflow quickstart ./my-productE002 — Target path is not a directory
Exit code: 2
Cause. The path exists but is a file. SBOMFlow scans a directory tree (lockfiles, manifests, SBOMs, firmware images), not a single file.
Fix. Point SBOMFlow at the product's source/build directory. To ingest a single SBOM file, scan its directory and pass the file with --import-sbom:
sbomflow audit ./my-product --import-sbom ./sbom/rootfs.cdx.json --output ./evidenceE003 — Output path is not a directory
Exit code: 2
Cause. The --output path points at an existing file.
Fix. Choose a directory path for --output (it is created if missing):
sbomflow audit ./my-product --output ./evidence-packE010 — Malformed or unknown-key configuration
Exit code: 2
Cause. sbomflow.yaml/sbomflow.json (auto-discovered in the target, or passed via --config) has a syntax error or an unrecognised key.
Fix. Validate it and let the message point at the exact problem:
sbomflow validate-config ./sbomflow.yaml
sbomflow doctor .My error isn't listed here
Most other failures are warnings (SBOMFlow warns, never silently ignores) and appear in scan-warnings.json with a stable warning key — see SIGNAL_CATALOG.md and warning_catalog. For process exit codes in CI, see EXIT_CODES.md. If a failure is unclear, run sbomflow doctor . and open an issue with the output.