{"id":13727959,"url":"https://github.com/interlynk-io/sbomgr","last_synced_at":"2026-03-01T22:43:25.366Z","repository":{"id":142544938,"uuid":"606279703","full_name":"interlynk-io/sbomgr","owner":"interlynk-io","description":"SBOM Search - Context aware search in SBOM repositories","archived":false,"fork":false,"pushed_at":"2025-07-29T14:31:40.000Z","size":269,"stargazers_count":28,"open_issues_count":7,"forks_count":3,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-07-29T17:11:11.660Z","etag":null,"topics":["cyclonedx","devsecops","devsecops-pipeline","go","golang","gomodule","sbom-tool","spdx","supplychain"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/interlynk-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-02-25T02:43:13.000Z","updated_at":"2025-07-29T14:24:06.000Z","dependencies_parsed_at":"2023-12-19T03:55:01.190Z","dependency_job_id":"433816a2-45cb-44f9-8e8b-576e40bd3ec6","html_url":"https://github.com/interlynk-io/sbomgr","commit_stats":null,"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/interlynk-io/sbomgr","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomgr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomgr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomgr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomgr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/interlynk-io","download_url":"https://codeload.github.com/interlynk-io/sbomgr/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomgr/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29987641,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-01T22:42:38.399Z","status":"ssl_error","status_checked_at":"2026-03-01T22:41:51.863Z","response_time":124,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyclonedx","devsecops","devsecops-pipeline","go","golang","gomodule","sbom-tool","spdx","supplychain"],"created_at":"2024-08-03T02:00:35.538Z","updated_at":"2026-03-01T22:43:25.359Z","avatar_url":"https://github.com/interlynk-io.png","language":"Go","funding_links":[],"categories":["Official projects"],"sub_categories":["Repositories"],"readme":"\u003c!--\n Copyright 2023 Interlynk.io\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n     http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n--\u003e\n\n# `sbomgr`: SBOM Grep :mag: - Search through SBOMs\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/interlynk-io/sbomgr.svg)](https://pkg.go.dev/github.com/interlynk-io/sbomgr)\n[![Go Report Card](https://goreportcard.com/badge/github.com/interlynk-io/sbomgr)](https://goreportcard.com/report/github.com/interlynk-io/sbomgr)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/interlynk-io/sbomgr/badge)](https://securityscorecards.dev/viewer/?uri=github.com/interlynk-io/sbomgr)\n![GitHub all releases](https://img.shields.io/github/downloads/interlynk-io/sbomgr/total)\n\n`sbomgr` is a grep like command line utility to help search the SBOM repository based on criteria like the name, checksum, CPE, and PURL.\n\n```sh\ngo install github.com/interlynk-io/sbomgr@latest\n```\n\nother installations [options](#installation)\n\n# SBOM Platform - Free Community Tier\n\nOur SBOM Automation Platform has a free community tier that provides a comprehensive solution to manage SBOMs (Software Bill of Materials) effortlessly. From centralized SBOM storage, built-in SBOM editor, continuous vulnerability mapping and assessment, and support for organizational policies, all while ensuring compliance and enhancing software supply chain security using integrated SBOM quality scores. The community tier is ideal for small teams. Learn more [here](https://www.interlynk.io/community-tier) or [Sign up](https://app.interlynk.io/auth)\n\n# SBOM Card\n\n[![SBOMCard](https://api.interlynk.io/api/v1/badges?type=hcard\u0026project_group_id=e8e2ba0c-3d04-4a2e-9b37-dca774bd08bd)](https://app.interlynk.io/customer/products?id=e8e2ba0c-3d04-4a2e-9b37-dca774bd08bd\u0026signed_url_params=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqSmtaakkyTkRRMUxXSTBaR0V0TkdJME9TMWhPVFpqTFRBd09UZGtZMlptTWpabU9TST0iLCJleHAiOm51bGwsInB1ciI6InNoYXJlX2x5bmsvc2hhcmVfbHluayJ9fQ==--6d74d14e40d6676522b1c529d44e4a320f05bcf3d42121e61e1275a1297a3453)\n\n# Basic usage\n\nSearch for packages with exact name matching \"abbrev\".\n\n```sh\nsbomgr packages -N 'abbrev' \u003csbom file or dir\u003e\n```\n\nSearch for packages with regexp name matching \"log4\"\n\n```sh\nsbomgr packages -EN 'log4' \u003csbom file or dir\u003e\n```\n\nSearch for packages in air gapped environment for name matching \"log4\"\n\n```sh\nexport INTERLYNK_DISABLE_VERSION_CHECK=true sbomgr packages -EN 'log4' \u003csbom file or dir\u003e\n```\n\n# Features\n\n- SBOM format agnostic and currently supports searching through SPDX and CycloneDX.\n- Blazing Fast :rocket:\n- Output search results as [jsonl](https://jsonlines.org/).\n- Supports RE2 [regular expressions](https://github.com/google/re2/wiki/Syntax)\n\n# Use cases\n\n`sbomgr` can answer some of the most common SBOM use cases by searching an SBOM file or SBOM repository.\n\n## How many SBOM and packages exist in the repository?\n\n```sh\n➜ sbomgr packages -c ~/data/sbom-repo/docker-images\nsbom_files_matched: 86\npackages_matched: 33556\n```\n\n## Are there packages with `zlib` in the name?\n\n```sh\n➜ sbomgr packages -cEN 'zlib' ~/data/sbom-repo/docker-images\nsbom_files_matched: 71\npackages_matched: 145\n```\n\n## Are there packages with a given checksum?\n\n```sh\n➜ sbomgr packages -c -H '5c260231de4f62ee26888776190b4c3fda6cbe14' ~/data/sbom-repo/docker-images\nsbom_files_matched: 2\npackages_matched: 2\n```\n\n## Create a json report of packages with .zip files\n\n```sh\n➜ sbomgr packages -jrE -N '\\.zip$' ~/data/ | jq .\n{\n  \"path\": \"/home/riteshno/data/spdx-trivy-circleci_clojure-sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76.json\",\n  \"format\": \"json\",\n  \"spec\": \"spdx\",\n  \"product_name\": \"circleci/clojure@sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76\",\n  \"packages\": [\n    {\n      \"name\": \"org.clojure:data.zip\",\n      \"version\": \"0.1.3\",\n      \"purl\": \"pkg:maven/org.clojure/data.zip@0.1.3\"\n    }\n  ],\n  \"matched\": true\n}\n```\n\n## Create a json report of all licenses included in an sbom\n\n```sh\n➜ sbomgr packages -jl ~/data/some-sboms/julia.spdx | jq .\n{\n  \"path\": \"/home/riteshno/data/some-sboms/julia.spdx\",\n  \"format\": \"tag-value\",\n  \"spec\": \"spdx\",\n  \"product_name\": \"julia-spdx\",\n  \"packages\": [\n    {\n      \"name\": \"Julia\",\n      \"version\": \"1.8.0-DEV\",\n      \"license\": [\n        {\n          \"name\": \"MIT License\",\n          \"short\": \"MIT\"\n        }\n      ]\n    },\n```\n\n## During CI check if a malicious package is present??\n\n```sh\n➜  sbomgr packages -qN 'abbrev' ~/tmp/app.spdx.json\n➜  echo $?\n0\n➜  sbomgr packages -qN 'abbrev-random' ~/tmp/app.spdx.json\n➜  echo $?\n1\n```\n\n## extract data using user-defined output\n\n```sh\nsbomgr packages -O 'toolv,tooln,pkgn,pkgv' ~/tmp/app.spdx.json\n2.0.88\tMicrosoft.SBOMTool\tCoordinated Packages                 \t229170\n2.0.88\tMicrosoft.SBOMTool\tchalk                                \t2.4.2\n2.0.88\tMicrosoft.SBOMTool\tasync-settle                         \t1.0.0\n```\n\n## Using containerized sbomgr\n\n```sh\n$docker run [volume-maps] ghcr.io/interlynk-io/sbomgr [command] [options]\n```\n\nExample\n\n```sh\n$docker run -v ~/interlynk/sbomlc/:/app/sbomlc ghcr.io/interlynk-io/sbomgr packages -c /app/sbomlc\n```\n\n```\nUnable to find image 'ghcr.io/interlynk-io/sbomgr:latest' locally\nlatest: Pulling from interlynk-io/sbomgr\n479c7812d0ff: Already exists\n5b3064dc8fe2: Already exists\nDigest: sha256:d359b7e6e2b870542500dc00967ca2c5a4e78c8f1658b5c6dbdc8330effe38f8\nStatus: Downloaded newer image for ghcr.io/interlynk-io/sbomgr:latest\n\nA new version of sbomgr is available v0.0.6.\n\nMatching file count: 3153\nMatching package count: 716953\n```\n\n# Search flags\n\n## Packages\n\nThis section explains the flags relevant to the packages search feature.\nThe packages search takes only a single argument, either a file or a directory. There are man flags which can be specified to control its behaviour.\n\n## _Match Criteria_\n\n---\n\n- `-N` or `--name` used for package/component name search.\n- `-C` or `--cpe` used for package/component cpe search.\n- `-P` or `--purl` used for pacakge/component purl search.\n- `-H` or `--checksum` used for package/component checksum value search.\n\nall of these match criteria are exclusive to each other.\n\n## _Patter Matching_\n\n---\n\n- `-E` or `--extended-regexp` flag can be used to indicate if the match criteria is a regular expression. Syntax supported is https://github.com/google/re2/wiki/Syntax.\n\n## _Matching Control_\n\n---\n\n- `-i` or `--ignore-case` case insensitive matching.\n\n## _Output Control_\n\n---\n\n- `-l` or `--license` this includes the license of the package/component in the output.\n- `-q` or `--quiet` this suppresses all output of the tool, the return value of the tool is 0 indicating success, if it finds the search criteria.\n- `--no-filename` removes the filename from the output.\n- `-j` or `--jsonl` outputs the search results in [jsonl](https://jsonlines.org/).\n- `-p` or `--print-errors` includes errors encoundered during searching. Default is to ignore them.\n- `-O` or `--output-format` user-defined output format. Options are listed below\n  - `filen` - filepath\n  - `tooln` - tool with which sbom was generated, only prints the first one\n  - `toolv` - tool version\n  - `docn` - sbom document name\n  - `docv` - sbom document version\n  - `cpe` - package cpe, only prints the first one, indicates how many cpe's exists.\n  - `purl` - package purl\n  - `pkgn` - package name\n  - `pkgv` - package version\n  - `pkgl` - package licenses\n  - `specn` - spec of the sbom document, spdx or cdx.\n  - `chkn` - checksum name\n  - `chkv` - checksum value\n  - `repo` - repository url\n  - `direct` - package is a direct dependency\n\n## _Stats Control_\n\n---\n\n- `-c` or `--count` suppresses the normal output and print matching counts of sbom filenames and packages.\n\n## _Directory Control_\n\n---\n\n- `-r` or `--recurse` when set, recursively scans all sub directories.\n\n## _Spec Control_\n\n---\n\n- `--spdx` searches only files which are SPDX.\n- `--cdx` searches only files which are CycloneDX.\n\n# Future work\n\n- Search using files.\n- Search using tool metadata.\n- Search using CVE-ID.\n- Search only direct dependencies.\n- Search until a specified depth.\n- Provide a list of malicious packages\n\n# SBOM Samples\n\n- A sample set of SBOM is present in the [samples](https://github.com/interlynk-io/sbomgr/tree/main/samples) directory above.\n- [SBOM Benchmark](https://www.sbombenchmark.dev) is a repository of SBOM and quality score for most popular containers and repositories\n- [SBOM Explorer](https://github.com/interlynk-io/sbomex) is a command line utility to search and pull SBOMs\n\n# Installation\n\n## Using Prebuilt binaries\n\n```console\nhttps://github.com/interlynk-io/sbomgr/releases\n```\n\n## Using Homebrew\n\n```console\nbrew tap interlynk-io/interlynk\nbrew install sbomgr\n```\n\n## Using Go install\n\n```console\ngo install github.com/interlynk-io/sbomgr@latest\n```\n\n## Using repo\n\nThis approach involves cloning the repo and building it.\n\n1. Clone the repo `git clone git@github.com:interlynk-io/sbomgr.git`\n2. `cd` into `sbomgr` folder\n3. make build\n4. To test if the build was successful run the following command `./build/sbomgr version`\n\n# Contributions\n\nWe look forward to your contributions, below are a few guidelines on how to submit them\n\n- Fork the repo\n- Create your feature/bug branch (`git checkout -b feature/new-feature`)\n- Commit your changes (`git commit -am \"awesome new feature\"`)\n- Push your changes (`git push origin feature/new-feature`)\n- Create a new pull-request\n\n# Other SBOM Open Source tools\n\n- [SBOM Assembler](https://github.com/interlynk-io/sbomasm) - A tool for conditional edits and merging of SBOMs\n- [SBOM Seamless Transfer](https://github.com/interlynk-io/sbommv) - A primary tool to transfer SBOM's between different systems.\n- [SBOM Quality Score](https://github.com/interlynk-io/sbomqs) - A tool for evaluating the quality and compliance of SBOMs\n- [SBOM Explorer](https://github.com/interlynk-io/sbomex) - A tool for discovering and downloading SBOM from a public SBOM repository\n- [SBOM Benchmark](https://www.sbombenchmark.dev) is a repository of SBOM and quality score for most popular containers and repositories\n\n# Contact\n\nWe appreciate all feedback. The best ways to get in touch with us:\n\n- :phone: [Live Chat](https://www.interlynk.io/#hs-chat-open)\n- 📫 [Email Us](mailto:hello@interlynk.io)\n- 🐛 [Report a bug or enhancement](https://github.com/interlynk-io/sbomex/issues)\n- :x: [Follow us on X](https://twitter.com/InterlynkIo)\n\n# Stargazers\n\nIf you like this project, please support us by starring it.\n\n[![Stargazers](https://starchart.cc/interlynk-io/sbomgr.svg)](https://starchart.cc/interlynk-io/sbomgr)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finterlynk-io%2Fsbomgr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finterlynk-io%2Fsbomgr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finterlynk-io%2Fsbomgr/lists"}