{"id":13717269,"url":"https://github.com/awesomeSBOM/awesome-sbom","last_synced_at":"2025-05-07T07:30:50.607Z","repository":{"id":40305478,"uuid":"390993721","full_name":"awesomeSBOM/awesome-sbom","owner":"awesomeSBOM","description":"A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles","archived":false,"fork":false,"pushed_at":"2024-04-23T21:36:12.000Z","size":61,"stargazers_count":428,"open_issues_count":9,"forks_count":56,"subscribers_count":17,"default_branch":"master","last_synced_at":"2024-05-23T07:31:11.897Z","etag":null,"topics":["awesome","awesome-repos","awesome-sbom","sbom","sbom-examples","sbom-generator","software-bill-of-materials"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/awesomeSBOM.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-30T08:42:03.000Z","updated_at":"2024-05-20T07:22:59.000Z","dependencies_parsed_at":"2024-01-29T22:08:45.939Z","dependency_job_id":"ab02a0b3-72d1-4317-b01e-65261899385a","html_url":"https://github.com/awesomeSBOM/awesome-sbom","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awesomeSBOM%2Fawesome-sbom","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awesomeSBOM%2Fawesome-sbom/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awesomeSBOM%2Fawesome-sbom/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awesomeSBOM%2Fawesome-sbom/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/awesomeSBOM","download_url":"https://codeload.github.com/awesomeSBOM/awesome-sbom/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224573428,"owners_count":17333804,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome","awesome-repos","awesome-sbom","sbom","sbom-examples","sbom-generator","software-bill-of-materials"],"created_at":"2024-08-03T00:01:20.060Z","updated_at":"2025-05-07T07:30:50.595Z","avatar_url":"https://github.com/awesomeSBOM.png","language":null,"funding_links":[],"categories":["Dependency intelligence","DevOps","Other Lists","Bachelor-Level","Using"],"sub_categories":["SCA and SBOM","TeX Lists","B.Sc.: Big Data and Cloud Computing for AI","License compliance"],"readme":"# awesome-sbom [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\nA curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles\n\n# What is SBOM (Software Bill Of Materials) ?\nFrom [Wikipedia](https://en.wikipedia.org/wiki/Software_bill_of_materials):\n\u003e A software bill of materials (SBOM) is a list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The SBOM describes the components in a product. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause an allergies, SBOMs can help companies avoid consumption of software that could harm their organization.\n\u003e\n\u003e The concept of a BOM is well-established in traditional manufacturing as part of supply chain management. A manufacturer uses a BOM to track the parts it uses to create a product. If defects are later found in a specific part, the BOM makes it easy to locate affected products.\n\n## Contents\n\n- 💼 [Official Projects](#official-projects)\n    - 📂 [Repositories](#repositories)\n    - 🗒️ [Docs](#docs)\n    - 📰 [Blogs](#blogs-and-articles)\n- 🐾 [Community Repositories](#community-repositories)\n- 🗃️ [Blogs and Articles](#articles-and-blogs-1)\n- 📹 [Videos](#videos)\n- 📑 [Slides](#slides)\n- 🎤 [Podcasts](#podcasts)\n- :chart_with_upwards_trend: [Benchmarks](#benchmarks)\n\n## Official projects\n\n### Articles and Blogs\n\n- [Wikipedia](https://en.wikipedia.org/wiki/Software_bill_of_materials) - Official Wikipedia Page\n- [NTIA](https://www.ntia.gov/SBOM) - Official National Telecommunications and Information Administration Page\n- [What is an SBOM?](https://www.linuxfoundation.org/blog/what-is-an-sbom/) - The Linux Foundation Article\n\n### Tools (and [classification](https://ntia.gov/sites/default/files/publications/ntia_sbom_tooling_taxonomy-2021mar30_0.pdf))\n\n|Tool|Build SBOM|Analyze SBOM|Edit SBOM|View SBOM|Diff SBOM|Import SBOM|Translate SBOM|Merge SBOM|Integrate with Other Tools|\n|----|:--------:|:----------:|:-------:|:-------:|:-------:|:---------:|:------------:|:--------:|:------------------------:|\n|AnthonyHarrison [SBOM4Python](https://pypi.org/project/sbom4python/)|CycloneDX,SPDX |\n|AnthonyHarrison [SBOM4Rust](https://pypi.org/project/sbom4rust/)|CycloneDX,SPDX|\n|AnthonyHarrison [SBOM4Files](https://pypi.org/project/sbom4files/)|CycloneDX,SPDX|\n|AnthonyHarrison [Distro2SBOM](https://pypi.org/project/distro2sbom/)|CycloneDX,SPDX|\n|AnthonyHarrison [SBOMDiff](https://pypi.org/project/sbomdiff/)| |CycloneDX,SPDX|CycloneDX,SPDX|\n|AnthonyHarrison [SBOM2doc](https://pypi.org/project/sbom2doc/)| |CycloneDX,SPDX|CycloneDX,SPDX|\n|AnthonyHarrison [SBOM2dot](https://pypi.org/project/sbom2dot/)| |CycloneDX,SPDX|CycloneDX,SPDX|\n|AnthonyHarrison [SBOMAudit](https://pypi.org/project/sbomaudit/)| |CycloneDX,SPDX|CycloneDX,SPDX|\n|AnthonyHarrison [SBOM-Manager](https://pypi.org/project/sbom-manager/)| |CycloneDX,SPDX|CycloneDX,SPDX|\n|[bomber](https://github.com/devops-kung-fu/bomber)| |CycloneDX,SPDX| |CycloneDX,SPDX|\n|[CycloneDX Maven Plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)|CycloneDX|\n|[CycloneDX CLI tool](https://github.com/CycloneDX/cyclonedx-cli)| | |CycloneDX| |CycloneDX| |CycloneDX,SPDX|CycloneDX|\n|CycloneDX [cdxgen](https://github.com/CycloneDX/cdxgen)|CycloneDX| | | | | | | |CycloneDX|\n|Interlynk [SBOM Assembler](https://github.com/interlynk-io/sbomasm)|CycloneDX,SPDX| | | | | | |CycloneDX,SPDX|CycloneDX,SPDX|\n|Interlynk [SBOM Quality Score](https://github.com/interlynk-io/sbomqs)| |CycloneDX,SPDX| |CycloneDX,SPDX| | | | |CycloneDX,SPDX|\n|Interlynk [SBOM Grep](https://github.com/interlynk-io/sbomgr)| |CycloneDX,SPDX||CycloneDX,SPDX|||||CycloneDX,SPDX|\n|Interlynk [SBOM Find \u0026 Pull](https://github.com/interlynk-io/sbomex)| || |CycloneDX,SPDX| | | | |CycloneDX,SPDX|\n|Google [osv-scanner](https://github.com/google/osv-scanner)| |CycloneDX,SPDX|\n|[Kubernetes SBOM Tool](https://sigs.k8s.io/bom)|SPDX|\n|Microsoft [SBOM tool](https://github.com/microsoft/sbom-tool)|SPDX|\n|OSS Review Toolkit [ORT](https://github.com/oss-review-toolkit/ort)|CycloneDX,SPDX |\n|[Syft](https://github.com/anchore/syft)|CycloneDX,SPDX|CycloneDX,SPDX| |CycloneDX,SPDX|\n|Snyk SBOM [API](https://docs.snyk.io/snyk-api-info) \u0026 [CLI](https://docs.snyk.io/snyk-cli)|CycloneDX,SPDX|\n|[Snyk SBOM Checker](https://snyk.io/code-checker/sbom-security/)| |CycloneDX,SPDX|\n|[SBOM viewer](https://apps.rancher.io/sbom-viewer)| | | | CycloneDX,SPDX|\n|[SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin)|SPDX|\n|[SPDX Gradle Plugin](https://github.com/spdx/spdx-gradle-plugin)|SPDX|\n|[spdx-sbom-generator](https://github.com/spdx/spdx-sbom-generator)|SPDX|\n|[SwiftBOM](https://github.com/CERTCC/SBOM/tree/master/SwiftBOM)|CycloneDX,SPDX,SWID|\n|[Tern](https://github.com/tern-tools/tern)|CycloneDX,SPDX|\n|[Trivy](https://github.com/aquasecurity/trivy)|CycloneDX,SPDX|CycloneDX,SPDX| |CycloneDX,SPDX|\n|[DeepSCA](https://tools.deepbits.com)|CycloneDX|CycloneDX||CyclondeDX||CyclondeDX|||CyclondeDX|\n|[Meta Package Manager](https://github.com/kdeldycke/meta-package-manager#readme)|CycloneDX,SPDX|||||||||\n\n### Repositories\n\n- [CycloneDX Specification](https://github.com/CycloneDX/specification)\n- [CycloneDX BOM Examples](https://github.com/CycloneDX/bom-examples)\n- [CycloneDX/cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)\n- [spdx-sbom-generator](https://github.com/spdx/spdx-sbom-generator)\n- [tern-tools/tern](https://github.com/tern-tools/tern)\n- [anchore/syft](https://github.com/anchore/syft)\n- [dlorenc/sbom-oci](https://github.com/dlorenc/sbom-oci)\n- [Cosign SBOM Spec](https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md)\n- [microsoft/sbom-tool](https://github.com/microsoft/sbom-tool)\n- [SwiftBOM - generate SBOMs](https://github.com/CERTCC/SBOM/tree/master/SwiftBOM)\n- [Kubernetes SBOM Tool](https://sigs.k8s.io/bom)\n- [Aqua Trivy](https://github.com/aquasecurity/trivy)\n- [Google osv-scanner](https://github.com/google/osv-scanner)\n- [bomber](https://github.com/devops-kung-fu/bomber)\n  - [Snyk provider](https://github.com/devops-kung-fu/bomber/tree/main/providers/snyk)\n- Snyk SBOM [API](https://docs.snyk.io/snyk-api-info) and [CLI](https://docs.snyk.io/snyk-cli)\n- [Snyk SBOM Checker](https://snyk.io/code-checker/sbom-security/)\n- [Interlynk SBOM Assembler](https://github.com/interlynk-io/sbomasm)\n- [Interlynk SBOM Quality Score](https://github.com/interlynk-io/sbomqs)\n- [Interlynk SBOM Grep](https://github.com/interlynk-io/sbomgr)\n- [Interlynk SBOM Find and Pull](https://github.com/interlynk.io/sbomex)\n- [NTIA Conformance Checker](https://github.com/spdx/ntia-conformance-checker)\n\n## CycloneDX\n\n- [CycloneDX Capabilities](https://cyclonedx.org/capabilities/)\n- [CycloneDX Use Cases and Examples](https://cyclonedx.org/use-cases/)\n- [CycloneDX Tool Center](https://cyclonedx.org/tool-center/)\n- [Specification Overview](https://cyclonedx.org/specification/overview/)\n\n## SPDX\n\n- [The Software Package Data Exchange® (SPDX®)](https://spdx.dev/)\n- [ISO/IEC 5962 - SPDX® Specification](https://www.iso.org/standard/81870.html)\n- [ISO/IEC 5230:2020 - OpenChain Specification](https://www.iso.org/standard/81039.html)\n- [SPDX Spec](https://spdx.github.io/spdx-spec/)\n- [SPDX: It’s Already in Use for Global Software Bill of Materials (SBOM)](https://www.linuxfoundation.org/blog/spdx-its-already-in-use-for-global-software-bill-of-materials-sbom-and-supply-chain-security/)\n\n## Community Repositories\n\n- [SBOM-Operator for Kubernetes](https://github.com/ckotzbauer/sbom-operator)\n\n### Security Tools\n\n- [bomber](https://github.com/devops-kung-fu/bomber) - bomber is an application that scans SBoMs for security vulnerabilities.\n- [NTIA Conformance Checker](https://github.com/spdx/ntia-conformance-checker) - Check SPDX SBOM for NTIA minimum elements\n- [sbom-scorecard](https://github.com/eBay/sbom-scorecard) - Generate a score for your sbom to understand if it will actually be useful.\n- [parlay](https://github.com/snyk/parlay) - Enrich SBOMs with data from third party services\n\n## Articles and Blogs\n\n- [Software Bill Of Materials: Formats, Use Cases, and Tools](https://fossa.com/blog/software-bill-of-materials-formats-use-cases-tools/)\n- [Software Bill of Materials Required by 2021 Cyber Security Executive Order](https://fossa.com/blog/software-bill-of-materials-formats-use-cases-tools/)\n- [The world needs a software bill of materials](https://news.ycombinator.com/item?id=26529619)\n- [What is a software bill of materials?](https://www.synopsys.com/blogs/software-security/software-bill-of-materials-bom/)\n- [Easily and Quickly Build an Accurate Open Source Inventory](https://www.revenera.com/software-composition-analysis/business-solutions/bill-of-materials.html)\n- [Create a Cybersecurity Bill of Materials](https://www.promenadesoftware.com/blog/create-a-software-bill-of-materials)\n- [What is an SBOM, and why should you Care??](https://boxboat.com/2021/05/12/what-is-sbom-and-why-should-you-care/)\n- [Are you ready with your SBOM ? Think again !](https://nadgowdas.github.io/blog/2021/trust-sbom/)\n- [Nisha Kumar and Allan Friedman - RSAC DevOps connect keynote](https://blogs.vmware.com/opensource/2021/06/15/software-bill-of-materials-and-modern-app-development-devops-connect-rsac-2021/)\n- [Rose Judge on using Tern to generate a SBoM for containers](https://blogs.vmware.com/opensource/2020/08/29/rose-judge-on-tern-container-bill-of-materials/)\n- [Creating a Software Supply Chain Landscape](https://zt.dev/posts/supply-chain-content-created/)\n- [Analysis of a spdx-sbom-generator generated SBOM](https://zt.dev/posts/analysis-spdx-sbom-generator/)\n- [Creating an SBOM for a golang app using spdx-sbom-generator](https://zt.dev/posts/creating-spdx-sbom/)\n- [Analysis of a cyclonedx-gomod generated SBOM](https://zt.dev/posts/analysis-cyclonedx-gomod-sbom/)\n- [Creating an SBOM for a golang app using cyclonedx-gomod](https://zt.dev/posts/creating-cyclonedx-gomod-sbom/)\n- [What an SBOM Can Do for You](https://chainguard.dev/posts/2022-01-13-what-an-sbom-can-do-for-you)\n- [BOM 101 – All the questions you were afraid to ask Software Bill of Materials](https://sysdig.com/blog/sbom-101-software-bill-of-materials/)\n- [How to create SBOMs in Java with Maven and Gradle](https://snyk.io/blog/create-sboms-java-maven-gradle/) - Snyk blog\n- [Comparing SBOM Standards: SPDX vs. CycloneDX](https://blog.sonatype.com/comparing-sbom-standards-spdx-vs.-cyclonedx-vs.-swid)\n- [Top 10 Things You Should Know About Using SBOM to Secure Industrial IoT Devices - Red Alert Labs](https://www.redalertlabs.com/blog/top-10-things-you-should-know-about-using-sbom-to-secure-industrial-iot-devices)\n- [The Minimum Elements For a Software Bill of Materials (SBOM)](https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf)\n- [What Makes a Good SBOM?](https://edu.chainguard.dev/open-source/sbom/what-makes-a-good-sbom/)\n- [Are SBOMs Any Good? Preliminary Measurement of the Quality of Open Source Project SBOMs](https://www.chainguard.dev/unchained/are-sboms-any-good-preliminary-measurement-of-the-quality-of-open-source-project-sboms)\n- [Software Dark Matter is the Enemy of Software Transparency](https://www.chainguard.dev/unchained/software-dark-matter-is-the-enemy-of-software-transparency)\n- [The Linux Foundation’s Software Bill of Materials (SBOM) and Cybersecurity Readiness Report](https://www.linuxfoundation.org/research/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness)\n- [When will SBOMs finally benefit the federal government’s software supply chain?](https://federalnewsnetwork.com/commentary/2022/10/when-will-sboms-finally-benefit-the-federal-governments-software-supply-chain/)\n- [Are SBOMs good enough for government work?](https://www.chainguard.dev/unchained/are-sboms-good-enough-for-government-work)\n- [Not All SBOMs Are Created Equal](https://www.chainguard.dev/unchained/not-all-sboms-are-created-equal)\n\n## Videos\n\n- [Mentorship Session: Generating Software Bill Of Materials](https://www.youtube.com/watch?v=EVnQ4Riecy8)\n- [Software Bill of Materials: How to generate an SBOM from container images using Syft](https://www.youtube.com/watch?v=9oj3BC3vOtc)\n- [SwiftBOM - generate SBOMs for PoC efforts and demos](https://youtube.com/playlist?list=PLKr8MJRsuoPHGqfcoj8auu7zax8oLRPsH)\n- [Kubernetes Atlanta Meetup - Nov 2021 - SBOMs Container Signing and Verification, Intro to Gatekeeper](https://www.youtube.com/watch?v=PuTJ176djsc\u0026t=22s)\n- [FOSDEM 2023 - The 7 key ingredients of a great SBOM](https://fosdem.org/2023/schedule/event/sbom_key_ingredients/)\n\n## Slides\n\n- [Software Bill of Materials Presentation](https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/SSCA/Spring_2019/8MayAM2.3_Software_Bill_of_Materials_Robert_Martin_05_08_19_clean.pdf)\n\n## Podcasts\n- [DaBOM Podcast](https://dabom.show/)\n\n## Benchmarks\n- [SBOM Benchmark](https://sbombenchmark.dev) Quickly evaluate SBOM for quality, compliance and errors.\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FawesomeSBOM%2Fawesome-sbom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FawesomeSBOM%2Fawesome-sbom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FawesomeSBOM%2Fawesome-sbom/lists"}