{"id":13581291,"url":"https://github.com/kubernetes-sigs/bom","last_synced_at":"2025-08-07T23:55:15.775Z","repository":{"id":37378091,"uuid":"429800698","full_name":"kubernetes-sigs/bom","owner":"kubernetes-sigs","description":"A utility to generate SPDX-compliant Bill of Materials manifests","archived":false,"fork":false,"pushed_at":"2024-12-16T08:28:51.000Z","size":23620,"stargazers_count":355,"open_issues_count":8,"forks_count":50,"subscribers_count":11,"default_branch":"main","last_synced_at":"2024-12-16T18:04:55.341Z","etag":null,"topics":["bom","go","golang","kubernetes","sbom","spdx"],"latest_commit_sha":null,"homepage":"https://kubernetes-sigs.github.io/bom/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kubernetes-sigs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"code-of-conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-19T13:06:36.000Z","updated_at":"2024-12-16T08:28:56.000Z","dependencies_parsed_at":"2023-02-16T17:01:07.390Z","dependency_job_id":"aacdba68-4cfc-4f6a-be46-74cd38fa9c58","html_url":"https://github.com/kubernetes-sigs/bom","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":"kubernetes/kubernetes-template-project","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubernetes-sigs%2Fbom","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubernetes-sigs%2Fbom/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubernetes-sigs%2Fbom/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubernetes-sigs%2Fbom/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kubernetes-sigs","download_url":"https://codeload.github.com/kubernetes-sigs/bom/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247450114,"owners_count":20940858,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bom","go","golang","kubernetes","sbom","spdx"],"created_at":"2024-08-01T15:02:00.021Z","updated_at":"2025-04-06T07:31:56.089Z","avatar_url":"https://github.com/kubernetes-sigs.png","language":"Go","funding_links":[],"categories":["Go","Software Bill of Materials","golang","Dependency intelligence"],"sub_categories":["SCA and SBOM"],"readme":"# `bom`: The SBOM Multitool\n\n[![PkgGoDev](https://pkg.go.dev/badge/sigs.k8s.io/bom)](https://pkg.go.dev/sigs.k8s.io/bom)\n[![Go Report Card](https://goreportcard.com/badge/sigs.k8s.io/bom)](https://goreportcard.com/report/sigs.k8s.io/bom)\n[![Slack](https://img.shields.io/badge/Slack-%23release--management-blueviolet)](https://kubernetes.slack.com/archives/C2C40FMNF)\n\n ![bom The SBOM Multitool](logo/logo.png)\n\n\n\n## What is `bom`?\n\n`bom` is a utility that lets you create, view and transform Software Bills of\nMaterials (SBOMs). `bom` was created as part of the project to create an SBOM\nfor the Kubernetes project. It enables software authors to generate an\nSBOM for their projects in a simple, yet powerful way.\n\nbom is a project incubating in the Linux Foundation's\n[Automating Compliance Toling TAC](https://github.com/act-project/TAC)\n\n`bom` is a general-purpose tool that can generate SPDX packages from\ndirectories, container images, single files, and other sources. The utility\nhas a built-in license classifier that recognizes the 400+ licenses in\nthe SPDX catalog.\n\nOther features include Golang dependency analysis and full `.gitignore`\nsupport when scanning git repositories.\n\nFor more in-depth instructions on how to create an SBOM for your project, see\n[\"Generating a Bill of Materials for Your Project\"](https://kubernetes-sigs.github.io/bom/tutorials/creating_bill_of_materials/).\n\nThe guide includes information about what a Software Bill of Materials is,\nthe SPDX standard, and instructions to add files, images, directories, and\nother sources to your SBOM.\n\n- [Installation](#installation)\n- [Usage](#usage)\n  - [`bom generate`](#bom-generate)\n  - [`bom document`](#bom-document)\n- [Examples](#examples)\n  - [Generate a SBOM from the Current Directory](#generate-a-sbom-from-the-current-directory)\n  - [Process a Container Image](#process-a-container-image)\n  - [Generate a SBOM to describe files](#generate-a-sbom-to-describe-files)\n- [Code of conduct](#code-of-conduct)\n\n## Installation\n\nTo install `bom`:\n\n```console\ngo install sigs.k8s.io/bom/cmd/bom@latest\n```\n\n## Usage\n\n- completion: generate the autocompletion script for the specified shell\n- [document](#bom-document): Work with SPDX documents\n- [generate](#bom-generate): Create SPDX manifests\n- help: Help about any command\n\n### `bom generate`\n\n`bom generate` is the `bom` subcommand to generate SPDX manifests.\n\nCurrently supports creating SBOM from files, images, and docker\narchives (images in tarballs). It supports pulling images from\nremote registries for analysis.\n\nbom can take a deeper look into images using a growing number\nof analyzers designed to add more sense to common base images.\n\nThe SBOM data can also be exported to an in-toto provenance\nattestation. The output will produce a provenance statement listing all\nthe SPDX data as in-toto subjects, but otherwise ready to be\ncompleted by a later stage in your CI/CD pipeline. See the\n--provenance flag for more details.\n\n```console\nUsage:\n  bom generate [flags]\n\nFlags:\n  -a, --analyze-images          go deeper into images using the available analyzers\n      --archive strings         list of archives to add as packages (supports tar, tar.gz)\n  -c, --config string           path to yaml SBOM configuration file\n  -d, --dirs strings            list of directories to include in the manifest as packages\n  -f, --file strings            list of files to include\n      --format string           format of the document (supports tag-value, json) (default \"tag-value\")\n  -h, --help                    help for generate\n      --ignore strings          list of regexp patterns to ignore when scanning directories\n  -i, --image strings           list of images\n      --image-archive strings   list of docker archive tarballs to include in the manifest\n  -l, --license string          SPDX license identifier to declare in the SBOM\n      --name string             name for the document, in contrast to URLs, intended for humans\n  -n, --namespace string        an URI that serves as namespace for the SPDX doc\n      --no-gitignore            don't use exclusions from .gitignore files\n      --no-gomod                don't perform go.mod analysis, sbom will not include data about go packages\n      --no-transient            don't include transient go dependencies, only direct deps from go.mod\n  -o, --output string           path to the file where the document will be written (defaults to STDOUT)\n      --provenance string       path to export the SBOM as an in-toto provenance statement\n      --scan-images             scan container images to look for OS information (currently debian only) (default true)\n\nGlobal Flags:\n      --log-level string   the logging verbosity, either 'panic', 'fatal', 'error', 'warning', 'info', 'debug', 'trace' (default \"info\")\n\n```\n\n### `bom document`\n\nThe `bom document subcommand` can visualize SBOMs as well as query them for\ninformation.\n\n```console\nbom document → Work with SPDX documents\n\nUsage:\n  bom document [command]\n\nAvailable Commands:\n  outline     bom document outline → Draw structure of a SPDX document\n  query       bom document query → Search for information in an SBOM\n```\n\n### `bom document outline`\n\nUsing `bom document outline` SBOM contents can be rendered to see how the\ninformation they contain is structured. Here is an example rendering the\n`debian:bookworm-slim` image for amd64:\n\n```\nbom generate --output=debian.spdx --image \\\n  debian@sha256:0aac521df91463e54189d82fe820b6d36b4a0992751c8339fbdd42e2bc1aa491\n\nbom document outline debian.spdx\n\n               _\n ___ _ __   __| |_  __\n/ __| '_ \\ / _` \\ \\/ /\n\\__ \\ |_) | (_| |\u003e  \u003c\n|___/ .__/ \\__,_/_/\\_\\\n    |_|\n\n 📂 SPDX Document SBOM-SPDX-71f1009c-dc17-4f4d-b4ec-72210c1a8d7f\n  │\n  │ 📦 DESCRIBES 1 Packages\n  │\n  ├ sha256:0aac521df91463e54189d82fe820b6d36b4a0992751c8339fbdd42e2bc1aa491\n  │  │ 🔗 1 Relationships\n  │  └ CONTAINS PACKAGE sha256:b37cbf60a964400132f658413bf66b67e5e67da35b9c080be137ff3c37cc7f65\n  │  │  │ 🔗 86 Relationships\n  │  │  ├ CONTAINS PACKAGE apt@2.5.4\n  │  │  ├ CONTAINS PACKAGE base-files@12.3\n  │  │  ├ CONTAINS PACKAGE base-passwd@3.6.1\n  │  │  ├ CONTAINS PACKAGE bash@5.2.15-2\n  │  │  ├ CONTAINS PACKAGE bsdutils@1:2.38.1-4\n  │  │  ├ CONTAINS PACKAGE coreutils@9.1-1\n  │  │  ├ CONTAINS PACKAGE dash@0.5.11+git20210903+057cd650a4ed-9\n  │  │  ├ CONTAINS PACKAGE debconf@1.5.81\n  │  │  ├ CONTAINS PACKAGE debian-archive-keyring@2021.1.1\n  │  │  ├ CONTAINS PACKAGE debianutils@5.7-0.4\n  │  │  ├ CONTAINS PACKAGE diffutils@1:3.8-3\n  │  │  ├ CONTAINS PACKAGE dpkg@1.21.13\n  │  │  ├ CONTAINS PACKAGE e2fsprogs@1.46.6~rc1-1+b1\n  │  │  ├ CONTAINS PACKAGE findutils@4.9.0-3\n  │  │  ├ CONTAINS PACKAGE gcc-12-base@12.2.0-13\n  │  │  ├ CONTAINS PACKAGE gpgv@2.2.40-1\n  │  │  ├ CONTAINS PACKAGE grep@3.8-3\n  │  │  ├ CONTAINS PACKAGE gzip@1.12-1\n  │  │  ├ CONTAINS PACKAGE hostname@3.23+nmu1\n  │  │  ├ CONTAINS PACKAGE init-system-helpers@1.65.2\n\n[trimmed]\n\n```\n\n## Examples\n\nThe following examples show how bom can process different sources to generate\nan SPDX Bill of Materials. Multiple sources can be combined to get a document\ndescribing different packages.\n\n### Generate a SBOM from the Current Directory\n\nTo process a directory as a source for your SBOM, use the `-d` flag or simply pass\nthe path (or current dir) as the first argument to `bom generate`:\n\n```bash\nbom generate .\n```\n\n### Process a Container Image\n\nThis example pulls the `kube-apiserver` image, analyzes it, and describes in the\nSBOM. Each of its layers are then expressed as a subpackage in the resulting\ndocument:\n\n```console\nbom generate -n http://example.com/ --image registry.k8s.io/kube-apiserver:v1.21.0\n```\n\n### Generate a SBOM to describe files\n\nYou can create an SBOM with just files in the manifest. For that, use `-f`:\n\n```console\nbom generate -n http://example.com/ \\\n  -f Makefile \\\n  -f file1.exe \\\n  -f document.md \\\n  -f other/file.txt\n```\n\n## Code of conduct\n\nParticipation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md).\n\n\n| | | |\n| --- | --- | -- |\n| ![ACT TAC](logo/act-tac.png) |  ![SPDX](logo/spdx.png) | ![Kubernetes](logo/kubernetes.png) |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubernetes-sigs%2Fbom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkubernetes-sigs%2Fbom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubernetes-sigs%2Fbom/lists"}