{"id":13606612,"url":"https://github.com/interlynk-io/sbomqs","last_synced_at":"2026-02-09T07:10:17.942Z","repository":{"id":65661934,"uuid":"595838775","full_name":"interlynk-io/sbomqs","owner":"interlynk-io","description":"sbomqs: The Comprehensive SBOM Quality \u0026 Compliance Tool","archived":false,"fork":false,"pushed_at":"2025-12-26T22:52:12.000Z","size":27391,"stargazers_count":258,"open_issues_count":18,"forks_count":29,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-12-28T13:08:38.195Z","etag":null,"topics":["cyclonedx","devsecops-pipeline","go","golang","sbom","sbom-examples","sbom-quality","sbom-samples","sbom-score","sbom-tool","security-tools","spdx","supply-chain-security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/interlynk-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-01-31T22:59:22.000Z","updated_at":"2025-12-26T22:50:49.000Z","dependencies_parsed_at":"2024-01-28T04:30:26.131Z","dependency_job_id":"76da00ad-0088-4733-b681-8f52660d0c87","html_url":"https://github.com/interlynk-io/sbomqs","commit_stats":null,"previous_names":[],"tags_count":60,"template":false,"template_full_name":null,"purl":"pkg:github/interlynk-io/sbomqs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomqs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomqs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomqs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomqs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/interlynk-io","download_url":"https://codeload.github.com/interlynk-io/sbomqs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/interlynk-io%2Fsbomqs/sbom","scorecard":{"id":49719,"data":{"date":"2024-07-05T19:19:41Z","repo":{"name":"github.com/interlynk-io/sbomqs","commit":"634b36d817bc765d4c8961a07cc6e30a419f34ff"},"scorecard":{"version":"v5.0.0-rc2","commit":"7ce8609469289d5f3b1bf5ee3122f42b4e3054fb"},"score":7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":0,"reason":"0 out of 10 merged PRs checked by a CI test -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"project has 3 contributing companies or organizations -- score normalized to 10","details":["Info: interlynk-io contributor org/company found, bsi contributor org/company found, open source contributor contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build.yml:12"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:19","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:23","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:29","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:31","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:34","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:38","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:15","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:29","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sbom.yml:17","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: downloadThenRun not pinned by hash: .github/workflows/release.yml:26","Warn: downloadThenRun not pinned by hash: .github/workflows/sbom.yml:22","Info: 3 out of 7 GitHub-owned GitHubAction dependencies pinned","Info: 1 out of 7 third-party GitHubAction dependencies pinned","Info: 0 out of 1 containerImage dependencies pinned","Info: 0 out of 2 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#sast"}},{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.1.5 not signed: https://api.github.com/repos/interlynk-io/sbomqs/releases/163866391","Warn: release artifact v0.1.4 not signed: https://api.github.com/repos/interlynk-io/sbomqs/releases/157398668","Warn: release artifact v0.1.3 not signed: https://api.github.com/repos/interlynk-io/sbomqs/releases/153030169","Warn: release artifact v0.1.2 not signed: https://api.github.com/repos/interlynk-io/sbomqs/releases/152000806","Warn: release artifact v0.1.1 not signed: https://api.github.com/repos/interlynk-io/sbomqs/releases/151953137","Warn: release artifact v0.1.5 does not have provenance: https://api.github.com/repos/interlynk-io/sbomqs/releases/163866391","Warn: release artifact v0.1.4 does not have provenance: https://api.github.com/repos/interlynk-io/sbomqs/releases/157398668","Warn: release artifact v0.1.3 does not have provenance: https://api.github.com/repos/interlynk-io/sbomqs/releases/153030169","Warn: release artifact v0.1.2 does not have provenance: https://api.github.com/repos/interlynk-io/sbomqs/releases/152000806","Warn: release artifact v0.1.1 does not have provenance: https://api.github.com/repos/interlynk-io/sbomqs/releases/151953137"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":8,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:15","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/sbom.yml:14","Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/sbom.yml:1","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-14T23:29:15.470Z","repository_id":65661934,"created_at":"2025-08-14T23:29:15.471Z","updated_at":"2025-08-14T23:29:15.471Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28338971,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T10:58:46.209Z","status":"ssl_error","status_checked_at":"2026-01-12T10:58:42.742Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyclonedx","devsecops-pipeline","go","golang","sbom","sbom-examples","sbom-quality","sbom-samples","sbom-score","sbom-tool","security-tools","spdx","supply-chain-security"],"created_at":"2024-08-01T19:01:10.670Z","updated_at":"2026-01-12T11:28:30.571Z","avatar_url":"https://github.com/interlynk-io.png","language":"Go","funding_links":[],"categories":["Go","Dependency intelligence","Official projects"],"sub_categories":["SCA and SBOM","Repositories"],"readme":"# sbomqs: The Comprehensive SBOM Quality \u0026 Compliance Tool\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/interlynk-io/sbomqs.svg)](https://pkg.go.dev/github.com/interlynk-io/sbomqs)\n[![Go Report Card](https://goreportcard.com/badge/github.com/interlynk-io/sbomqs)](https://goreportcard.com/report/github.com/interlynk-io/sbomqs)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/interlynk-io/sbomqs/badge)](https://securityscorecards.dev/viewer/?uri=github.com/interlynk-io/sbomqs)\n![GitHub all releases](https://img.shields.io/github/downloads/interlynk-io/sbomqs/total)\n\n**sbomqs** is the industry-leading tool for evaluating SBOM quality, ensuring compliance, and managing your software supply chain security. From quality scoring to compliance validation, component analysis to vulnerability tracking - sbomqs provides everything you need to work with SBOMs effectively.\n\n\u003e \"sbomqs is listed as a relevant tool in the SBOM ecosystem\" - [SBOM Generation White Paper, 2025](https://github.com/SBOM-Community/SBOM-Generation)\n\n## Quick Start\n\n```bash\n# Install via Homebrew\nbrew tap interlynk-io/interlynk\nbrew install sbomqs\n\n# Get your first quality score\nsbomqs score your-sbom.json\n```\n\nπŸ“š **[Full Getting Started Guide](docs/getting-started.md)** - Installation for all platforms and basic usage\n\n## Why sbomqs?\n\nIn today's software landscape, understanding and managing your software supply chain is critical. Whether you're in healthcare dealing with FDA requirements, automotive following NHTSA guidelines, or any regulated industry, sbomqs helps you:\n\n- **Instantly assess SBOM quality** - Know if your SBOMs meet quality standards\n- **Ensure compliance** - Validate against BSI, NTIA, FSCT, and industry standards\n- **Find vulnerabilities** - Identify components missing security identifiers\n- **Automate workflows** - Integrate into CI/CD pipelines with ease\n- **Share results** - Generate shareable reports and quality scores\n- **Using as library** - Integrating sbomqs into your software programatically\n\n## Key Features\n\nβœ… **Multi-Standard Support**: SPDX, CycloneDX \nβœ… **Compliance Validation**: BSI TR-03183-2 (v1.1 \u0026 v2.0), FSCT v3, OpenChain Telco, NTIA \nβœ… **Quality Scoring**: 0-10 scale with detailed breakdowns \nβœ… **Component Analysis**: List, filter, and analyze SBOM components \nβœ… **Integration Ready**: Docker, CI/CD, Dependency-Track, GitHub Actions \nβœ… **Shareable Reports**: Generate public quality score links \nβœ… **Air-Gapped Support**: Works in isolated environments \n\n## Documentation\n\nπŸ“š **[Getting Started](docs/getting-started.md)** - Installation and basic usage\n\n### πŸ“– Command Reference\n\n- **[score](docs/commands/score.md)** - Calculate SBOM quality score\n- **[compliance](docs/commands/compliance.md)** - Check regulatory compliance \n- **[list](docs/commands/list.md)** - List and filter components\n- **[share](docs/commands/share.md)** - Generate shareable reports\n- **[dtrackScore](docs/commands/dtrack.md)** - Dependency-Track integration\n- **[generate](docs/commands/generate.md)** - Generate configuration files\n- **[version](docs/commands/version.md)** - Version information\n\n### 🎯 Guides\n\n- **[Customization](docs/guides/customization.md)** - Create custom scoring profiles\n- **[Integrations](docs/guides/integrations.md)** - CI/CD and tool integrations\n- **[Policy](docs/guides/policy.md)** - Policy enforcement and validation\n\n### πŸ“‹ Reference\n\n- **[Quality Checks](docs/reference/quality-checks.md)** - All scoring criteria explained\n- **[Compliance Standards](docs/reference/compliance-standards.md)** - BSI, NTIA, FSCT mappings\n\n## Basic Examples\n\n### Check SBOM Quality\n\n```bash\n# Get a quality score (0-10)\nsbomqs score -b my-app.spdx.json\n\n# See detailed breakdown\nsbomqs score my-app.spdx.json\n\n# Check specific category\nsbomqs score my-app.spdx.json --category integrity\n\n# check specific profile \nsbomqs score my-app.spdx.json --category NTIA-minimum-elements --profile ntia\n```\n\n### Verify Compliance\n\n```bash\n# BSI TR-03183-2 v2.0\nsbomqs compliance --bsi-v2 my-app.spdx.json\n\n# FSCT v3\nsbomqs compliance --fsct my-app.spdx.json\n\n# OpenChain Telco\nsbomqs compliance --oct my-app.spdx.json\n```\n\n### Find Missing Data\n\n```bash\n# Components without versions\nsbomqs list my-app.spdx.json --feature comp_with_version --missing\n\n# Components without suppliers\nsbomqs list my-app.spdx.json --feature comp_with_supplier --missing\n```\n\n### Share Results\n\n```bash\n# Generate shareable link (doesn't upload SBOM content)\nsbomqs share my-app.spdx.json\n```\n\n### Integrating sbomqs into your software\n\n```go\npackage main\n\nimport (\n \"context\"\n \"fmt\"\n\n \"github.com/interlynk-io/sbomqs/v2/pkg/scorer/v2/config\"\n \"github.com/interlynk-io/sbomqs/v2/pkg/scorer/v2/score\"\n)\n\nfunc main() {\n cfg := config.Config{}\n // make sure current dir has sbom file: `sbom.cdx.json`\n paths := []string{\"sbom.cdx.json\"}\n\n results, err := score.ScoreSBOM(context.Background(), cfg, paths)\n if err != nil {\n log.Fatalf(\"scoring failed: %v\", err)\n }\n\n for _, r := range results {\n // Comprehensive result is the default evaluation\n if r.Comprehensive != nil {\n fmt.Printf(\"Interlynk score: %.2f Grade: %s\\n\", r.Comprehensive.InterlynkScore, r.Comprehensive.Grade)\n }\n }\n```\n\nFor more examples, refer here: \u003chttps://github.com/interlynk-io/sbomqs/blob/main/docs/guides/integrations.md\u003e\n\n## Industry Use Cases\n\n- **Healthcare \u0026 Medical Devices**: Meet FDA SBOM requirements for medical device submissions\n- **Automotive**: Comply with NHTSA cybersecurity guidelines for vehicle software\n- **Financial Services**: Support DORA and PCI DSS software transparency requirements\n- **Telecommunications**: Ensure critical infrastructure security with OpenChain Telco\n- **Enterprise Software**: Manage supply chain risk with comprehensive quality metrics\n\n## SBOM Platform - Free Community Tier \n\nOur SBOM Automation Platform has a free community tier that provides a comprehensive solution to manage SBOMs (Software Bill of Materials) effortlessly. From centralized SBOM storage, built-in SBOM editor, vulnerability mapping and assessment, all while ensuring compliance and enhancing software supply chain security using integrated SBOM quality scores. The community tier is ideal for small teams. Learn more [here](https://www.interlynk.io/community-tier) or [Sign up](https://app.interlynk.io/auth)\n\n## SBOM Card\n\n[![SBOMCard](https://api.interlynk.io/api/v1/badges.svg?type=hcard\u0026project_group_id=7f52093e-3d78-49cb-aeb1-6c977de9442e\n)](https://app.interlynk.io/customer/products?id=7f52093e-3d78-49cb-aeb1-6c977de9442e\u0026signed_url_params=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqUmhPRGRoTjJNNExXSXpZekl0TkdVeE9TMDVNRGxoTFRKbFpHRmlPR1ZoWldReVl5ST0iLCJleHAiOm51bGwsInB1ciI6InNoYXJlX2x5bmsvc2hhcmVfbHluayJ9fQ==--daf6585ecf8013a0b2713a5cebb28c140d29eed904b15c84c0566b9ddd334e71)\n\n## Contributions\n\nWe welcome contributions! Here's how to get started:\n\n1. Fork the repository\n2. Create your feature branch (`git checkout -b feature/amazing-feature`)\n3. Commit your changes (`git commit -sam 'Add amazing feature'`)\n4. Push to the branch (`git push origin feature/amazing-feature`)\n5. Open a Pull Request\n\nPlease ensure:\n\n- All commits are signed\n- Tests pass (`make test`)\n- Code follows our style guide (`make lint`)\n\nπŸ“– [Contributing Guidelines](./CONTRIBUTING.md)\n\n## Community Recognition\n\nsbomqs has gained significant adoption across the industry for SBOM quality assessment and compliance validation:\n\n## πŸ“š Academic Research \u0026 Publications\n\n### Peer-Reviewed Papers Using sbomqs\n\n1. **Soeiro, L., Robert, T., \u0026 Zacchiroli, S. (2025)** \n *Wild SBOMs: a Large-scale Dataset of Software Bills of Materials from Public Code* \n 22nd IEEE/ACM International Conference on Mining Software Repositories (MSR 2025) \n **DOI:** [arXiv:2503.15021](https://arxiv.org/abs/2503.15021) \n **Usage:** Uses sbomqs to compute quality scores for over 78,000 SBOMs in their large-scale dataset from 94 million GitHub repositories.\n1. **Novikov, O., Fucci, D., Adamov, O., \u0026 Mendez, D. (2025)**\n POLICY-DRIVEN SOFTWARE BILL OF MATERIALS ON GITHUB: AN EMPIRICAL STUDY\n arXiv preprint\n **DOI:** [arXiv:2509.01255](https://arxiv.org/abs/2509.01255)\n **Usage:** Uses sbomqs to assess the quality of 620 policy-driven SBOMs found on GitHub, calculating a quality score based on structural and\n semantic completeness.\n\n### White Papers \u0026 Technical Documents\n\n2. **SBOM Generation White Paper (2025)** \n *SBOM Community, February 2025* \n **Citation:** Lists sbomqs as a \"relevant tool in the SBOM ecosystem\" and highlights it as demonstrating best practices in SBOM quality assessment.\n\n3. **OpenChain Telco SBOM Guide v1.1 (2025)** \n *OpenChain Project* \n **URL:** [OpenChain Project](https://openchainproject.org/) \n **Usage:** References sbomqs as a recommended tool for telecommunications operators managing complex software supply chains, particularly for its ability to validate SBOMs across multiple formats.\n \n### Major Platforms \u0026 Companies\n\n### 1. **Harness Software Supply Chain Assurance (SSCA)**\n\n- **Company:** Harness Inc.\n- **Usage:** Uses sbomqs as the engine powering their SBOM quality scoring feature\n- **Features:** Provides quality scores from 1-10 for generated SBOMs with SBOM drift detection capabilities\n- **Reference:** [Harness Developer Hub](https://developer.harness.io/docs/software-supply-chain-assurance/open-source-management/generate-sbom-for-artifacts)\n- **Blog Post:** [Level Up your Zero-day Vulnerability Remediation and SBOM Quality](https://www.harness.io/blog/level-up-your-zero-day-vulnerability-remediation-and-sbom-quality-for-a-more-secure-software-supply-chain) (May 2025)\n\n### 2. **sbom.sh**\n\n- **Platform:** [sbom.sh](https://sbom.sh)\n- **Usage:** Uses the sbomqs engine to evaluate and score uploaded SBOMs\n- **Features:** Automatically generates a quality score (1–10) based on metadata completeness, component coverage, and spec compliance (SPDX/CycloneDX), displaying results directly in the web interface\n\n### 3. **SBOM Benchmark Platform**\n\n- **Platform:** [sbombenchmark.dev](https://sbombenchmark.dev/)\n- **Usage:** Uses the sbomqs engine for scoring CycloneDX and SPDX SBOMs\n- **Features:** Provides shareable quality reports without requiring SBOM uploads\n\n### 4. **Interlynk Platform**\n\n- **Company:** Interlynk Inc.\n- **Milestone:** Reached 100 customers on community tier, including four Fortune 500 companies\n- **Integration:** sbomqs integrated for SBOM quality assessment across the platform\n\n### 5. **SBOMly**\n\n- **Platform:** [SBOMly](https://sbomly.com/).\n- **Usage:** Uses the sbomqs engine for scoring CycloneDX and SPDX SBOMs to check how complete and useful SBOMs are.\n- **Features:** SBOMly makes it easy to scan your project dependencies for known vulnerabilities. It generates SBOM using Syft, then scan it for vulnerabilities using both Grype and OSV-Scanner for comprehensive coverage and gives detailed report showing all components, vulnerabilities, severity levels, and fix commands you can run to remediate issues.\n\n### CI/CD \u0026 Package Manager Support\n\n- GitHub Actions via Docker (`ghcr.io/interlynk-io/sbomqs`)\n- Homebrew (`brew install sbomqs`)\n- Go modules (`go install`)\n- Docker Hub \u0026 GitHub Container Registry\n- Uniget tools repository\n\n### Compliance Standards\n\nTrusted for validating compliance with:\n\n- NTIA Minimum Elements\n- BSI TR-03183-2 (v1.1 \u0026 v2.0)\n- OpenChain Telco (OCT)\n- Framing Software Component Transparency (FSCT v3)\n\n## Other SBOM Open Source Tools\n\nInterlynk provides a comprehensive suite of SBOM tools:\n\n- [**SBOM Assembler**](https://github.com/interlynk-io/sbomasm) - Complete SBOM toolkit (Merging/Enriching/Signing and Editing)\n- [**SBOM Explorer**](https://github.com/interlynk-io/sbomex) - Search and download from public repositories \n- [**SBOM Search Tool**](https://github.com/interlynk-io/sbomgr) - Context-aware repository search\n- [**SBOM Seamless Transfer**](https://github.com/interlynk-io/sbommv) - Transfer between systems\n- [**SBOM Benchmark**](https://www.sbombenchmark.dev) - Repository of SBOM quality scores\n\n## Blog Posts\n\n- [sbomqs and SBOM Policies](https://sbom-insights.dev/posts/sbomqs-and-sbom-policies-turning-transparency-into-action/)\n- [sbomqs scoring support for BSI-1.1 and BSI-2.0](https://sbom-insights.dev/posts/sbomqs-scoring-support-for-bsi-1.1-and-bsi-2.0-in-a-summarized-way/)\n- [What’s Missing in Your SBOM](https://sbom-insights.dev/posts/whats-missing-in-your-sbom-sbomqs-list-can-help-you-in-inspecting.../)\n\n## Contact\n\n- ❓ [Community Slack](https://join.slack.com/t/sbomqa/shared_invite/zt-2jzq1ttgy-4IGzOYBEtHwJdMyYj~BACA)\n- πŸ’¬ [Live Chat](https://www.interlynk.io/#hs-chat-open)\n- πŸ“§ [Email](mailto:hello@interlynk.io)\n- πŸ› [GitHub Issues](https://github.com/interlynk-io/sbomqs/issues)\n- 🐦 [Follow us on X](https://twitter.com/InterlynkIo)\n\n## Stargazers\n\nIf sbomqs helps you improve your SBOM quality and compliance, please ⭐ this repository!\n\n[![Stargazers](https://starchart.cc/interlynk-io/sbomqs.svg)](https://starchart.cc/interlynk-io/sbomqs)\n\n---\n\n**sbomqs** - Building trust in software supply chains, one SBOM at a time.\n\nMade with ❀️ by [Interlynk.io](https://www.interlynk.io)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finterlynk-io%2Fsbomqs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finterlynk-io%2Fsbomqs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finterlynk-io%2Fsbomqs/lists"}