{"id":13727939,"url":"https://github.com/interlynk-io/sbomasm","last_synced_at":"2026-01-12T11:35:50.418Z","repository":{"id":161258139,"uuid":"635984325","full_name":"interlynk-io/sbomasm","owner":"interlynk-io","description":"sbomasm: The Complete SBOM Management Toolkit","archived":false,"fork":false,"pushed_at":"2025-12-01T22:58:35.000Z","size":3542,"stargazers_count":94,"open_issues_count":18,"forks_count":12,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-12-03T17:36:53.139Z","etag":null,"topics":["cyclonedx","devsecops","go","golang","gomodule","oss","sbom","sbom-generator","sbom-tool","security","spdx"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/interlynk-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-05-03T22:09:00.000Z","updated_at":"2025-12-01T06:30:40.000Z","dependencies_parsed_at":"2026-01-06T12:04:50.393Z","dependency_job_id":null,"html_url":"https://github.com/interlynk-io/sbomasm","commit_stats":null,"previous_names":[],"tags_count":36,"template":false,"template_full_name":null,"purl":"pkg:github/interlynk-io/sbomasm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomasm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomasm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomasm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomasm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/interlynk-io","download_url":"https://codeload.github.com/interlynk-io/sbomasm/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomasm/sbom","scorecard":{"id":582194,"data":{"date":"2024-03-17","repo":{"name":"github.com/interlynk-io/sbomasm","commit":"df41a4c6f58e5d3f41efdc357ae0ee36a1bf5299"},"scorecard":{"version":"v4.10.2","commit":"376f465c111c39c6a5ad7408e8896cd790cb5219"},"score":6,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":0,"reason":"0 out of 15 merged PRs checked by a CI test -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"15 out of last 15 changesets reviewed before merge -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project requires code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#code-review"}},{"name":"Contributors","score":3,"reason":"1 different organizations found -- score normalized to 3","details":["Info: contributors work for interlynk-io"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: Dependabot detected: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":null,"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: License file found in expected location: LICENSE:1","Info: FSF or OSI recognized license: LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"12 commit(s) out of 30 and 0 issue activity out of 9 found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"publishing workflow detected","details":["Info: GitHub publishing workflow used in run https://api.github.com/repos/interlynk-io/sbomasm/actions/runs/7132489987: .github/workflows/build.yml:8"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/sbom.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-sbom.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/test-sbom.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating golang:1.20-alpine to golang:1.20-alpine@sha256:e47f121850f4e276b2b210c56df3fda9191278dd84a3a442bfe0b09934462a8f","Warn: downloadThenRun not pinned by hash: .github/workflows/release.yml:26","Warn: downloadThenRun not pinned by hash: .github/workflows/sbom.yml:22","Warn: downloadThenRun not pinned by hash: .github/workflows/test-sbom.yml:20","Warn: pipCommand not pinned by hash: .github/workflows/test-sbom.yml:32"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool","Warn: CodeQL tool not detected"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#sast"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":null,"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"0 out of 5 artifacts are signed or have provenance","details":["Warn: release artifact v0.0.13 does not have provenance: https://api.github.com/repos/interlynk-io/sbomasm/releases/133070550","Warn: release artifact v0.0.13 not signed: https://api.github.com/repos/interlynk-io/sbomasm/releases/133070550","Warn: release artifact v0.0.12 does not have provenance: https://api.github.com/repos/interlynk-io/sbomasm/releases/130481999","Warn: release artifact v0.0.12 not signed: https://api.github.com/repos/interlynk-io/sbomasm/releases/130481999","Warn: release artifact v0.0.11 does not have provenance: https://api.github.com/repos/interlynk-io/sbomasm/releases/128669642","Warn: release artifact v0.0.11 not signed: https://api.github.com/repos/interlynk-io/sbomasm/releases/128669642","Warn: release artifact v0.0.10 does not have provenance: https://api.github.com/repos/interlynk-io/sbomasm/releases/128190536","Warn: release artifact v0.0.10 not signed: https://api.github.com/repos/interlynk-io/sbomasm/releases/128190536","Warn: release artifact v0.0.9 does not have provenance: https://api.github.com/repos/interlynk-io/sbomasm/releases/126855098","Warn: release artifact v0.0.9 not signed: https://api.github.com/repos/interlynk-io/sbomasm/releases/126855098"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":8,"reason":"non read-only tokens detected in GitHub workflows","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/build.yml/main?enable=permissions","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:11","Warn: no topLevel permission defined: .github/workflows/release.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/release.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/sbom.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/sbom.yml/main?enable=permissions","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/sbom.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/sbom.yml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18","Warn: no topLevel permission defined: .github/workflows/test-sbom.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/test-sbom.yml/main?enable=permissions","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/test-sbom.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/interlynk-io/sbomasm/test-sbom.yml/main?enable=permissions"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":-1,"reason":"internal error: vulnerabilitiesClient.ListUnfixedVulnerabilities: osvscanner.DoScan: scan failed server response error: {\"code\":3,\"message\":\"Invalid Package URL.\"}","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T19:28:07.757Z","repository_id":161258139,"created_at":"2025-08-20T19:28:07.757Z","updated_at":"2025-08-20T19:28:07.757Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28338971,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T10:58:46.209Z","status":"ssl_error","status_checked_at":"2026-01-12T10:58:42.742Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyclonedx","devsecops","go","golang","gomodule","oss","sbom","sbom-generator","sbom-tool","security","spdx"],"created_at":"2024-08-03T02:00:35.308Z","updated_at":"2026-01-12T11:35:50.412Z","avatar_url":"https://github.com/interlynk-io.png","language":"Go","funding_links":[],"categories":["Official projects","Go"],"sub_categories":["Repositories"],"readme":"# `sbomasm`: The Complete SBOM Management Toolkit\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/interlynk-io/sbomasm.svg)](https://pkg.go.dev/github.com/interlynk-io/sbomasm)\n[![Go Report Card](https://goreportcard.com/badge/github.com/interlynk-io/sbomasm)](https://goreportcard.com/report/github.com/interlynk-io/sbomasm)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/interlynk-io/sbomasm/badge)](https://securityscorecards.dev/viewer/?uri=github.com/interlynk-io/sbomasm)\n![GitHub all releases](https://img.shields.io/github/downloads/interlynk-io/sbomasm/total)\n\n`sbomasm` is a comprehensive toolkit for managing Software Bill of Materials (SBOMs) throughout their lifecycle. From assembling multiple SBOMs into unified documents, to editing metadata for compliance, removing sensitive information, enriching with additional context and cryptorgaphically sign and verify SBOMs - sbomasm handles it all.\n\n## Quick Start\n\n```bash\n# Install sbomasm\ngo install github.com/interlynk-io/sbomasm@latest\n\n# Assemble multiple SBOMs into one\nsbomasm assemble -n \"my-app\" -v \"1.0.0\" -o final.json service1.json service2.json service3.json\n\n# Augment existing SBOM with additional data\nsbomasm assemble --augmentMerge --primary base.json scan-results.json -o enhanced.json\n\n# Edit SBOM metadata for compliance\nsbomasm edit --subject document --supplier \"ACME Corp (acme.com)\" --timestamp sbom.json\n\n# Remove sensitive information\nsbomasm rm --subject component-data --search \"internal-tool\" sbom.json\n\n# Enrich SBOM with missing license information\nsbomasm enrich --fields license -o enriched.json sbom.json\n\n# View SBOM in human-readable format\nsbomasm view sbom.cdx.json\n\n# Generate assembly configuration\nsbomasm generate \u003e config.yml\n\n# Sign an SBOM using ShiftLeftCyber's SecureSBOM API (using a sample key)\nsbomasm sign --key-id a7b3c9e1-2f4d-4a8b-9c6e-1d5f7a9b2c4e --output sbom-signed.json sbom.json\n```\n\n## Table of Contents\n\n- [Community Recognition](#community-recognition)\n- [Why sbomasm?](#why-sbomasm)\n- [Core Features](#core-features)\n- [sbomasm Blog](#sbomasm-blog)\n- [Basic Usage](#basic-usage)\n  - [Assembling SBOMs](#assembling-sboms)\n  - [Editing SBOMs](#editing-sboms)\n  - [Removing Components](#removing-components)\n  - [Enriching SBOMs](#enriching-sboms)\n  - [Viewing SBOMs](#viewing-sboms)\n  - [Signing and Verifying](#signing-and-verifying)\n- [Industry Use Cases](#industry-use-cases)\n  - [Microservices \u0026 Kubernetes](#microservices--kubernetes)\n  - [Automotive Industry](#automotive-industry)\n  - [Healthcare \u0026 Medical Devices](#healthcare--medical-devices)\n  - [Financial Services](#financial-services)\n- [Advanced Features](#advanced-features)\n  - [Configuration-Driven Assembly](#configuration-driven-assembly)\n  - [Dependency Track Integration](#dependency-track-integration)\n  - [Batch Operations](#batch-operations)\n- [Command Reference](#command-reference)\n- [SBOM Platform - Free Community Tier](#sbom-platform---free-community-tier)\n- [SBOM Card](#sbom-card)\n- [Installation](#installation)\n- [Contributions](#contributions)\n- [Other SBOM Open Source tools](#other-sbom-open-source-tools)\n- [Contact](#contact)\n- [Stargazers](#stargazers)\n\n## Community Recognition\n\n`sbomasm` has gained recognition across the SBOM ecosystem for its innovative approach to SBOM management:\n\n### Industry Adoption \u0026 Standards\n\n\u003e **OpenChain Telco SBOM Guide v1.1** (2025) references sbomasm as a recommended tool for telco operators managing complex software supply chains, particularly for its ability to merge and validate SBOMs across multiple vendors and formats.\n\n\u003e **SBOM Generation White Paper** (SBOM Community, February 2025) highlights sbomasm as an exemplary tool that \"demonstrates best practices in SBOM assembly, particularly its format-agnostic approach and preservation of component relationships during merging operations.\"\n\n### Community Feedback\n\n\u003e “I found several bugs, mostly invalid SPDX, but they were **quickly fixed**. The team is **very reactive**. The tool now produces **valid SPDX for all examples I have tested**...”\n\u003e\n\u003e — Marc-Étienne Vargenau (Nokia), [SPDX Implementers Mailing List](https://lists.spdx.org/g/spdx-implementers/topic/sbomasm_a_tool_to_merge_spdx/107185371)\n\n\u003e \"The hierarchical merge capability in sbomasm is exactly what we needed for assembling microservice SBOMs while preserving their dependency relationships. It's become an essential part of our DevSecOps pipeline.\"  \n\u003e — **Fortune 500 Financial Services CISO**\n\n\u003e \"For medical device manufacturers needing FDA-compliant SBOMs, sbomasm's edit functionality has been a game-changer. We can now ensure all required metadata is present before submission.\"  \n\u003e — **Medical Device Manufacturer, Regulatory Affairs**\n\n### Tool Ecosystem Integration\n\n- **GitLab/GitHub CI**: Widely adopted in CI/CD pipelines for automated SBOM assembly\n\n  \n\n## Why sbomasm?\n\nModern software development involves complex supply chains with multiple components, each potentially having its own SBOM. Organizations face several challenges:\n\n- **Multiple Sources**: Microservices, containers, and third-party components each generate separate SBOMs\n- **Compliance Requirements**: Regulations like FDA medical device requirements, Auto-ISAC standards, and CISA guidelines require complete and accurate SBOMs\n- **Metadata Gaps**: Generated SBOMs often lack critical metadata like supplier information, licenses, or proper versioning\n- **Sensitive Data**: SBOMs may contain internal component names or proprietary information that shouldn't be shared\n- **Format Fragmentation**: Different tools produce different SBOM formats (SPDX vs CycloneDX)\n\n`sbomasm` solves these challenges with a unified toolkit that works across formats and use cases.\n\n## Core Features\n\n- 🔀 **Assemble**: Merge multiple SBOMs into comprehensive documents\n- ✏️ **Edit**: Add or modify metadata for compliance and completeness\n- 🗑️ **Remove**: Strip sensitive components or fields\n- 🚀 **Enrich**: Augment SBOMs with missing license information from ClearlyDefined\n- 👁️ **View**: Visualize SBOMs in human-readable hierarchical format\n- 🔐 **Sign**: Cryptographically Sign \u0026 Verify SBOMs (uses 3rd party service from ShiftLeftCyber)\n- 📋 **Format Agnostic**: Supports both SPDX and CycloneDX\n- ⚡ **Blazing Fast**: Optimized for large-scale operations\n- 🔧 **Flexible**: CLI, configuration files, and API integration options\n\n## sbomasm Blog\n\n- [Lean, Clean, and Compliance-Ready: sbomasm’s New Removal Capabilities](https://www.linkedin.com/pulse/lean-clean-compliance-ready-sbomasms-new-removal-vivek-kumar-sahu-a2fqe/)\n- [sbomasm enriches licenses using ClearlyDefined datasets](https://www.linkedin.com/pulse/sbomasm-enriches-licenses-using-clearlydefined-datasets-sahu-dogec/)\n\n## Basic Usage\n\n### Assembling SBOMs\n\nThe most common use case is combining multiple SBOMs from different sources into a single comprehensive document.\n\n#### Simple Assembly\n\nCombine microservice SBOMs into an application SBOM:\n\n```bash\n# Basic assembly with automatic format detection\nsbomasm assemble \\\n  -n \"e-commerce-platform\" \\\n  -v \"2.1.0\" \\\n  -t \"application\" \\\n  -o platform.cdx.json \\\n  auth-service.json cart-service.json payment-service.json\n```\n\n#### Container and Application Assembly\n\nMerge container base image SBOM with application dependencies:\n\n```bash\n# Combine base image SBOM with application SBOM\nsbomasm assemble \\\n  -n \"containerized-app\" \\\n  -v \"1.0.0\" \\\n  --type \"container\" \\\n  -o final-container.spdx.json \\\n  alpine-base.spdx.json app-deps.spdx.json\n```\n\n#### Augment Merge (Enrich Existing SBOM)\n\nEnhance an existing primary SBOM with additional component information from secondary SBOMs without creating a new root component:\n\n```bash\n# Enrich base SBOM with additional scan results\nsbomasm assemble --augmentMerge \\\n  --primary base-sbom.json \\\n  vulnerability-scan.json license-scan.json \\\n  -o enriched-sbom.json\n\n# Overwrite existing component data with vendor-provided information\nsbomasm assemble --augmentMerge \\\n  --primary internal-sbom.json \\\n  --merge-mode overwrite \\\n  vendor-sbom.json \\\n  -o updated-sbom.json\n```\n\n### Editing SBOMs\n\nFix missing metadata or update information for compliance:\n\n#### Add Missing Supplier Information\n\n```bash\n# Add supplier info required by procurement\nsbomasm edit \\\n  --missing \\\n  --subject document \\\n  --supplier \"Interlynk (hello@interlynk.io)\" \\\n  --output compliant.json \\\n  original.json\n```\n\n#### Update Component Licenses\n\n```bash\n# Fix missing license information\nsbomasm edit \\\n  --subject component-name-version \\\n  --search \"log4j (2.17.1)\" \\\n  --license \"Apache-2.0 (https://www.apache.org/licenses/LICENSE-2.0)\" \\\n  input.json\n```\n\n### Removing Components\n\nRemove internal or sensitive components before sharing:\n\n```bash\n# Remove internal components before sharing with customer\nsbomasm rm \\\n  --subject component-name \\\n  --search \"internal-telemetry\" \\\n  --output public.json \\\n  internal.json\n```\n\n### Enriching SBOMs\n\nEnhance SBOMs with missing license information using ClearlyDefined data:\n\n#### Basic License Enrichment\n\n```bash\n# Enrich SBOM with missing license information\nsbomasm enrich \\\n  --fields license \\\n  --output enriched.json \\\n  original.json\n```\n\n#### Advanced Enrichment Options\n\n```bash\n# Force update existing licenses with more complete data\nsbomasm enrich \\\n  --fields license \\\n  --force \\\n  --license-exp-join \"AND\" \\\n  --max-retries 3 \\\n  --max-wait 10 \\\n  --output complete.json \\\n  incomplete.json\n```\n\nThis command is particularly useful for:\n- Filling gaps in automatically generated SBOMs that lack license information\n- Ensuring compliance with procurement and legal requirements\n- Standardizing license expressions across components\n- Meeting regulatory requirements that mandate complete license documentation\n\n### Viewing SBOMs\n\nVisualize CycloneDX SBOMs in a human-readable hierarchical format with comprehensive component information:\n\n#### Basic SBOM Visualization\n\n```bash\n# View SBOM with default settings\nsbomasm view sbom.cdx.json\n\n# Detailed view with all information\nsbomasm view sbom.cdx.json --verbose\n\n# Save output to file\nsbomasm view sbom.cdx.json -o sbom-report.txt\n\n# License-only view (minimal component details)\nsbomasm view sbom.cdx.json --only-licenses\n\n# View containers and operating systems\nsbomasm view sbom.cdx.json --filter-type \"container,operating-system\"\n\n# Focus on high-severity vulnerabilities\nsbomasm view sbom.cdx.json --min-severity high --only-unresolved\n\n# Limit tree depth for large SBOMs\nsbomasm view sbom.cdx.json --max-depth 3\n\n# Flat list format\nsbomasm view sbom.cdx.json --format flat\n\n# JSON export for processing\nsbomasm view sbom.cdx.json --format json -o analysis.json\n```\n\nThe view command is particularly useful for:\n- **Security Audits**: Identify and filter vulnerabilities by severity\n- **Dependency Analysis**: Understand component relationships and dependencies\n- **License Compliance**: Extract license information for compliance review\n- **SBOM Validation**: Verify SBOM completeness and structure\n- **Documentation**: Generate human-readable reports for stakeholders\n\n### Signing and Verifying\n\nSBOMs are intended to be shared. Unsigned SBOMs are like unsealed envelopes. Anyone can open it up and alter what is\ninside. Cryptographically signing your SBOM allows SBOM producers to **prove authenticity and establish trust**\nand SBOM consumers to have the confidence that the SBOM has not been tampered with and comes from a verified source.\n\nSigning and Verifying SBOMs using sbomasm uses the SecureSBOM API from ShiftLeftCyber. This service requires an\nAPI Key. To obtain an API key use the following: [ContactUs](https://shiftleftcyber.io/contactus/)\n\n**Prerequisites**\n\n1. **API Key:** Obtain an API Key from ShiftLeftCyber\n2. **Key Management:** Generate or use existing signing keys through the SecureSBOM Service\n3. **Envorionment Setup:** Set your API key as an environment variable for convenience \n\n```bash\nexport SECURE_SBOM_API_KEY=\"your-api-key-here\"\n```\n\n```bash\n# Generate a Signing Key for signing and online verification\nsbomasm securesbomkey generate\n\n# Use the generated key to Sign a CycloneDX SBOM according to CycloneDX 1.6 Specification\n# The below examples uses a fake/sample key for educational purposes only\nsbomasm sign --key-id a7b3c9e1-2f4d-4a8b-9c6e-1d5f7a9b2c4e --output sbom.cdx.signed.json sbom.json\n\n# Verify the Signed SBOM using the API\nsbomasm verify --key-id a7b3c9e1-2f4d-4a8b-9c6e-1d5f7a9b2c4e sbom.cdx.signed.json\n\n# Sign and Verify SPDX SBOMs with SecureSBOM\nsbomasm sign --key-id a7b3c9e1-2f4d-4a8b-9c6e-1d5f7a9b2c4e --output sbom.spdx.signed.json sbom.spdx.json\nsbomasm verify --key-id a7b3c9e1-2f4d-4a8b-9c6e-1d5f7a9b2c4e --signature \"SIGNATURE_HASH\" sbom.spdx.signed.json\n```\n\n## Industry Use Cases\n\n### Microservices \u0026 Kubernetes\n\nModern cloud-native applications consist of dozens of microservices, each with their own dependencies. Organizations using Kubernetes need to track components across:\n- Application code dependencies\n- Container base images\n- Kubernetes operators and controllers\n- Service mesh components\n\n**Example**: A fintech company running 50+ microservices on Kubernetes:\n\n```bash\n# Step 1: Collect SBOMs from CI/CD pipeline\n# Each build generates an SBOM for the service\n\n# Step 2: Assemble daily platform SBOM\nsbomasm assemble \\\n  -n \"trading-platform\" \\\n  -v \"$(date +%Y.%m.%d)\" \\\n  -t \"application\" \\\n  --flat-merge \\\n  -o daily-platform-sbom.json \\\n  services/*.json\n\n# Step 3: Add compliance metadata\nsbomasm edit \\\n  --subject document \\\n  --supplier \"FinTech Corp (fintech.com)\" \\\n  --tool \"sbomasm (v0.1.0)\" \\\n  --timestamp \\\n  daily-platform-sbom.json\n\n# Step 4: Remove internal debugging tools\nsbomasm rm \\\n  --subject component-name \\\n  --search \"debug-console\" \\\n  daily-platform-sbom.json\n```\n\n### Automotive Industry\n\nAutomotive manufacturers must comply with Auto-ISAC guidelines and track software across complex supply chains involving hundreds of suppliers.\n\n**Example**: An electric vehicle manufacturer tracking infotainment system components:\n\n```bash\n# Assemble SBOMs from tier-1 suppliers\nsbomasm assemble \\\n  -n \"infotainment-system\" \\\n  -v \"model-y-2025\" \\\n  -t \"firmware\" \\\n  -o infotainment-complete.spdx.json \\\n  navigation-vendor.spdx audio-vendor.spdx connectivity-vendor.spdx\n\n# Add automotive-specific metadata\nsbomasm edit \\\n  --subject primary-component \\\n  --cpe \"cpe:2.3:a:automaker:infotainment:2025.1:*:*:*:*:*:*:*\" \\\n  --lifecycle \"manufacture\" \\\n  --output auto-compliant.spdx.json \\\n  infotainment-complete.spdx.json\n```\n\n### Healthcare \u0026 Medical Devices\n\nFDA regulations require medical device manufacturers to provide comprehensive SBOMs. These must include all software components and their security status.\n\n**Example**: Medical imaging device SBOM preparation:\n\n```bash\n# Create configuration for FDA submission\ncat \u003e fda-config.yml \u003c\u003c EOF\napp:\n  name: 'MRI-Scanner-Software'\n  version: 'v3.2.0'\n  description: 'MRI Scanner Control System - FDA Submission'\n  type: 'device'\n  supplier:\n    name: 'MedTech Inc'\n    email: 'regulatory@medtech.com'\n  author:\n  - name: 'MedTech Regulatory Team'\n    email: 'regulatory@medtech.com'\noutput:\n  spec: spdx\n  file_format: json\nassemble:\n  hierarchical_merge: true\n  include_components: true\n  include_dependency_graph: true\nEOF\n\n# Assemble with configuration\nsbomasm assemble -c fda-config.yml -o fda-submission.json \\\n  imaging-software.json hardware-drivers.json third-party-libs.json\n```\n\n### Financial Services\n\nFinancial institutions need SBOMs for risk assessment and regulatory compliance (PCI-DSS 4.0).\n\n**Example**: Banking application quarterly compliance report:\n\n```bash\n# Assemble quarterly SBOM from all banking services\nsbomasm assemble \\\n  -n \"digital-banking-platform\" \\\n  -v \"2024-Q4\" \\\n  -o quarterly-sbom.cdx.json \\\n  core-banking/*.json mobile-app/*.json web-portal/*.json\n\n# Enrich with security metadata\nsbomasm edit \\\n  --subject document \\\n  --tool \"dependency-track (4.11.0)\" \\\n  --author \"Security Team (security@bank.com)\" \\\n  --lifecycle \"operations\" \\\n  quarterly-sbom.cdx.json\n\n# Generate security audit report\nsbomasm view quarterly-sbom.cdx.json \\\n  --min-severity high \\\n  --only-unresolved \\\n  --vulnerabilities \\\n  -o quarterly-security-report.txt\n```\n\n## Advanced Features\n\n### Configuration-Driven Assembly\n\nFor complex assembly operations, use configuration files:\n\n```yaml\n# assembly-config.yml\napp:\n  name: 'enterprise-platform'\n  version: 'v2.0.0'\n  type: 'application'\n  supplier:\n    name: 'Enterprise Corp'\n    email: 'sbom@enterprise.com'\n  licenses:\n  - id: 'Apache-2.0'\noutput:\n  spec: cyclonedx\n  file_format: json\n  file: 'enterprise-platform.cdx.json'\nassemble:\n  flat_merge: true\n  include_components: true\n  include_dependency_graph: false\n```\n\n```bash\nsbomasm assemble -c assembly-config.yml services/*.json\n```\n\n### Dependency Track Integration\n\nIntegrate with Dependency Track for continuous SBOM monitoring:\n\n```bash\n# Pull SBOMs from Dependency Track, assemble, and push back\nsbomasm assemble dt \\\n  -u \"https://dtrack.company.com\" \\\n  -k \"$DT_API_KEY\" \\\n  -n \"aggregated-view\" \\\n  -v \"latest\" \\\n  --flat-merge \\\n  -o \"project-uuid\" \\\n  project-uuid-1 project-uuid-2 project-uuid-3\n```\n\n### Batch Operations\n\nProcess multiple SBOMs with shell scripting:\n\n```bash\n#!/bin/bash\n# batch-process.sh - Add supplier info to all SBOMs\n\nfor sbom in sboms/*.json; do\n  echo \"Processing $sbom...\"\n  sbomasm edit \\\n    --missing \\\n    --subject document \\\n    --supplier \"ACME Corp (acme.com)\" \\\n    --timestamp \\\n    --output \"processed/$(basename $sbom)\" \\\n    \"$sbom\"\ndone\n```\n\n## Command Reference\n\nDetailed documentation for each command:\n\n- [assemble](docs/assemble.md) - Merge multiple SBOMs\n- [edit](docs/edit.md) - Modify SBOM metadata\n- [rm](docs/remove.md) - Remove components or fields\n- [enrich](docs/enrich.md) - Enrich SBOMs with missing license information\n- [view](docs/view.md) - Visualize SBOMs in human-readable format\n- [generate](docs/generate.md) - Create configuration templates\n- [sign/verify](docs/securesbom.md) - Cryptographically Sign \u0026 Verify SBOMs\n\n## SBOM Platform - Free Community Tier\n\nOur SBOM Automation Platform has a free community tier that provides a comprehensive solution to manage SBOMs (Software Bill of Materials) effortlessly. From centralized SBOM storage, built-in SBOM editor, continuous vulnerability mapping and assessment, and support for organizational policies, all while ensuring compliance and enhancing software supply chain security using integrated SBOM quality scores. The community tier is ideal for small teams. Learn more [here](https://www.interlynk.io/community-tier) or [Sign up](https://app.interlynk.io/auth)\n\n## SBOM Card\n\n[![SBOMCard](https://api.interlynk.io/api/v1/badges?type=hcard\u0026project_group_id=c706ae8e-56dc-4386-9c8e-11c2401c0e94\n)](https://app.interlynk.io/customer/products?id=c706ae8e-56dc-4386-9c8e-11c2401c0e94\u0026signed_url_params=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqbGtaVFZqTVdKaUxUSTJPV0V0TkdNeE55MWhaVEZpTFRBek1ETmlOREF3TlRjNFpDST0iLCJleHAiOm51bGwsInB1ciI6InNoYXJlX2x5bmsvc2hhcmVfbHluayJ9fQ==--84180d9ed3c786dce7119abc7fc35eb7adb0fbc8a9093c4f6e7e5d0ad778089e)\n\n## Installation\n\n### Using Go install (Recommended)\n\n```bash\ngo install github.com/interlynk-io/sbomasm@latest\n```\n\n### Using Homebrew\n\n```bash\nbrew tap interlynk-io/interlynk\nbrew install sbomasm\n```\n\n### Using Docker\n\n```bash\ndocker run -v $(pwd):/app ghcr.io/interlynk-io/sbomasm:latest assemble \\\n  -n \"my-app\" -v \"1.0.0\" -o /app/output.json /app/input1.json /app/input2.json\n```\n\n### Using Prebuilt Binaries\n\nDownload from [releases page](https://github.com/interlynk-io/sbomasm/releases)\n\n### Building from Source\n\n```bash\ngit clone https://github.com/interlynk-io/sbomasm.git\ncd sbomasm\n\n# Show all available make targets\nmake help\n\n# Build for current platform\nmake build\n\n# Run tests\nmake test\n\n# Build for all platforms\nmake build-all\n\n# Verify the build\n./build/sbomasm version\n```\n\nThe project includes a comprehensive Makefile with targets for development, testing, building, and releasing. Run `make help` to see all available commands including:\n- **Development**: `make fmt`, `make vet`, `make lint`\n- **Testing**: `make test`, `make test-coverage`, `make test-short`\n- **Building**: `make build`, `make build-all`, `make install`\n- **Release**: `make snapshot`, `make release`\n- **CI/CD**: `make ci`, `make pre-commit`\n\n## Contributions\n\nWe look forward to your contributions! Please follow these guidelines:\n\n1. Fork the repo\n2. Create your feature/bug branch (`git checkout -b feature/amazing-feature`)\n3. Commit your changes (`git commit -sam \"Add amazing feature\"`) - commits must be signed\n4. Push to the branch (`git push origin feature/amazing-feature`)\n5. Create a Pull Request\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for detailed guidelines.\n\n## Other SBOM Open Source tools\n\n- [SBOM Seamless Transfer](https://github.com/interlynk-io/sbommv) - A primary tool to transfer SBOMs between different systems\n- [SBOM Quality Score](https://github.com/interlynk-io/sbomqs) - A tool for evaluating the quality and compliance of SBOMs\n- [SBOM Search Tool](https://github.com/interlynk-io/sbomgr) - A tool for context-aware search in SBOM repositories\n- [SBOM Explorer](https://github.com/interlynk-io/sbomex) - A tool for discovering and downloading SBOMs from public repositories\n- [SBOM Benchmark](https://www.sbombenchmark.dev) - A repository of SBOMs and quality scores for popular containers and repositories\n\n## Contact\n\nWe appreciate all feedback. The best ways to get in touch with us:\n\n- ❓\u0026 🅰️ [Slack](https://join.slack.com/t/sbomqa/shared_invite/zt-2jzq1ttgy-4IGzOYBEtHwJdMyYj~BACA)\n- 📞 [Live Chat](https://www.interlynk.io/#hs-chat-open)\n- 📫 [Email Us](mailto:hello@interlynk.io)\n- 🐛 [Report a bug or enhancement](https://github.com/interlynk-io/sbomasm/issues)\n- 🐦 [Follow us on X](https://twitter.com/InterlynkIo)\n\n## Stargazers\n\nIf you like this project, please support us by starring it.\n\n[![Stargazers](https://starchart.cc/interlynk-io/sbomasm.svg)](https://starchart.cc/interlynk-io/sbomasm)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finterlynk-io%2Fsbomasm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finterlynk-io%2Fsbomasm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finterlynk-io%2Fsbomasm/lists"}