{"id":35419737,"url":"https://github.com/scanoss/sbom-workbench","last_synced_at":"2026-03-04T13:03:39.194Z","repository":{"id":37092025,"uuid":"375663611","full_name":"scanoss/sbom-workbench","owner":"scanoss","description":"The SCANOSS SBOM Workbench graphical user interface to scan and audit your source code.","archived":false,"fork":false,"pushed_at":"2026-02-24T11:39:03.000Z","size":20651,"stargazers_count":60,"open_issues_count":2,"forks_count":12,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-24T16:39:28.824Z","etag":null,"topics":["license","open-source","sbom","sbom-generator","software-composition-analysis"],"latest_commit_sha":null,"homepage":"https://scanoss.com/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/scanoss.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-06-10T10:48:02.000Z","updated_at":"2026-02-24T11:39:06.000Z","dependencies_parsed_at":"2023-10-11T11:32:29.858Z","dependency_job_id":"128b326d-62b6-4f2e-9a6d-11f87594bdbe","html_url":"https://github.com/scanoss/sbom-workbench","commit_stats":null,"previous_names":["scanoss/audit-workbench"],"tags_count":178,"template":false,"template_full_name":null,"purl":"pkg:github/scanoss/sbom-workbench","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fsbom-workbench","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fsbom-workbench/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fsbom-workbench/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fsbom-workbench/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/scanoss","download_url":"https://codeload.github.com/scanoss/sbom-workbench/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scanoss%2Fsbom-workbench/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30081102,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T12:28:08.313Z","status":"ssl_error","status_checked_at":"2026-03-04T12:27:28.210Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["license","open-source","sbom","sbom-generator","software-composition-analysis"],"created_at":"2026-01-02T16:15:56.209Z","updated_at":"2026-03-04T13:03:39.155Z","avatar_url":"https://github.com/scanoss.png","language":"TypeScript","readme":"# [SBOM Workbench](https://scanoss.com/product)\n\n\u003cdiv\u003e\n\n![GitHub release (latest by date)](https://img.shields.io/github/v/release/scanoss/sbom-workbench)\n![License](https://img.shields.io/badge/license-GPL--2.0--only-brightgreen)\n[![REUSE status](https://api.reuse.software/badge/github.com/scanoss/sbom-workbench)](https://api.reuse.software/info/github.com/scanoss/sbom-workbench)\n![test_workflow](https://github.com/scanoss/sbom-workbench/actions/workflows/test.yml/badge.svg?branch=main)\n\n\u003c/div\u003e\n\nThe SBOM Workbench is a graphical user interface to scan and audit source code using SCANOSS API.\n\nAuditing your source code for license compliance has never been easier. Simply scan your source code directory to find and identify open source components. Generate your SPDX-Lite software bill of materials (SBOM) with the press of a button.\n\n_Find prebuilt binaries for all platforms over at: [Software Transparency Foundation](https://www.softwaretransparency.org/download)_\n\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\".erb/img/workbench_1.c77c358.png\" align=\"center\" width=\"70%\" /\u003e\n\u003c/div\u003e\n\n## Prerequisites\n\n- Node.js \u003e=v22.12.0\n- NPM (Node Packages Manager)\n\nWe strongly recommend handling your node versions using [nvm](https://github.com/nvm-sh/nvm)\n\n## Install\n\n```bash\nnpm install --legacy-peer-deps\n```\nPlease note that you should include the `--legacy-peer-deps` parameter in the installation command. This is because `@mui/styles` is not compatible with React 18. You can find more information about this at [https://mui.com/system/styles/basics/](https://mui.com/system/styles/basics/).\n\n### Troubleshooting\n\nSBOM Workbench uses [node-gyp](https://www.npmjs.com/package/node-gyp) to compile SQLite3 native module.\nThis module uses \"node-pre-gyp\" to download the prebuilt binary for your platform instead you need build from source.\nIn case it does not exist for your platform, node-gyp going to build it.\n\nDepending on your operating system, you will need prepare the correct environment to run node-gyp: See [https://github.com/nodejs/node-gyp#installation](https://github.com/nodejs/node-gyp#installation)\n\n## Starting Development\n\nStart the app in the `dev` environment:\n\n```bash\nnpm start\n```\n\nFor live reloading you can use `npm run start --watch` to run the app using [Electronmon](https://github.com/catdad/electronmon#readme). Warning: this tool has a high memory consumption.\n\n## Packaging for Production\n\nTo package apps for the local platform:\n\n```bash\nnpm run package\n```\n\n## Multi-language (i18n)\n\nSBOM Workbench is multi-language enabled. To contribute a new language please see our [internationalization documentation](assets/i18n/README.md).\n\n## Workbench Configuration\nSBOM Workbench support advanced settings. All the configurations needs to be included in the global config file `~/.scanoss/sbom-workbench-settings.json`\n\n### Scanner parameters\n\n`\"SCANNER_CONCURRENCY_LIMIT\": \"\u003cinteger\u003e\"`\nNumber of threads to use while scanning (optional - default 5)\n\n`\"SCANNER_POST_SIZE\": \"\u003cintenger\u003e\"`\nNumber of kilobytes to limit the post to while scanning (optional - default 16)\n\n`\"SCANNER_TIMEOUT\": \"\u003cinteger\u003e\"`\nTimeout (in seconds) for API communication (optional - default 300)\n\n### Proxy settings\nYou might need to specify proxy settings depending on how your network is configured\n\n`\"PROXY\": \"\u003cproxy_ip_address\u003e:\u003cproxy_port\u003e\"`\n\nIf your network is using a proxy with SSL interception you can include your certificate in the configuration\n\n`\"CA_CERT\": \"\u003ccertificate_path\u003e\"`\n\nYou can disable any SSL errors, to do so you can change this option to true\n\n`\"IGNORE_CERT_ERRORS\": true`\n\n# Local Cryptography Detection in SBOM-Workbench\n\n## Overview\n\nLocal cryptography can be detected by SBOM-Workbench when an API key is configured. This feature enables the detection of cryptographic algorithms and libraries within a codebase.\n\n## Default and Custom Detection Rules\n\nDefault rules are provided for the detection of cryptographic algorithms and libraries. However, custom rules may be defined at the root of the project to be scanned.\n\n### Custom Rule Files\n\nCustom rules can be defined through the following JSON files at the project root:\n\n- **Algorithm detection rules**: `scanoss-crypto-algorithm-rules.json`. See: [Algorithm Rules Sample](./assets/data/scanoss-crypto-algorithm-rules.json)\n- **Library detection rules**: `scanoss-crypto-library-rules.json`\n\n## Rule File Structure\n\n### Algorithm Rules Structure\n\nThe structure of `scanoss-crypto-algorithm-rules.json` should be formatted as follows:\n```json\n[\n   {\n     \"algorithmId\": \"md5\",\n     \"algorithm\": \"MD5 Message-Digest Algorithm\",\n     \"strength\": \"128\",\n     \"keywords\": [\n       \"md5_file\",\n       \"md5\",\n       \"md5crypt\",\n       \"aprcrypt\",\n       \"md5_encrypt\",\n       \"md5_block_data_order\",\n       \"ossl_md5_sha1_\",\n       \"MD5_Init\"\n     ]\n   }\n ]\n``` \n\n### Library Rules Structure\n\nThe structure of `scanoss-crypto-library-rules.json` should be formatted as follows:\n```json\n[\n  {\n    \"id\": \"library/webcrypto\",\n    \"name\": \"Web Cryptography API\",\n    \"description\": \"A JavaScript API for performing basic cryptographic operations in web applications.\",\n    \"keywords\": [\n      \"window.crypto.subtle\",\n      \"crypto.subtle.\",\n      \"crypto.getRandomValues\",\n      \"NodeWebCrypto\",\n      \"WebCryptoAPI\"\n    ],\n    \"url\": \"https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API\",\n    \"category\": \"library\",\n    \"purl\": \"pkg:generic/webcrypto\",\n    \"tags\": [\n      \"JavaScript\"\n    ]\n  }\n ]\n``` \n\n\n# SCANOSS Settings File\nSCANOSS provides a settings file to customize the scanning process. The settings file is a JSON file that contains project information and BOM (Bill of Materials) rules. It allows you to include, remove, or replace components in the BOM before and after scanning.\n\n### Settings\nThe ``scanoss.json`` object allows you to configure various aspects of the scanning process. Currently, it provides control over which files should be skipped during scanning through the ``skip`` property.\n\n\n### BOM Rules\n\nThe ``bom`` section defines rules for modifying the BOM before and after scanning. It contains three main operations:\n\n### 1. Include Rules\n\nRules for adding context when scanning. These rules will be sent to the SCANOSS API meaning they have more chance of being considered part of the resulting scan.\n\n\n\n    {\n        \"bom\": {\n            \"include\": [\n                {\n                    \"path\": \"/path/to/file\",\n                    \"purl\": \"pkg:npm/vue@2.6.12\",\n                    \"comment\": \"Optional comment\"\n                }\n            ]\n        }\n    }\n\n### 2. Remove Rules\n\nRules for removing files from results after scanning. These rules will be applied to the results file after scanning. The post processing happens on the client side.\n\n\n    {\n        \"bom\": {\n            \"remove\": [\n                {\n                    \"path\": \"/path/to/file\",\n                    \"purl\": \"pkg:npm/vue@2.6.12\",\n                    \"comment\": \"Optional comment\"\n                }\n            ]\n        }\n    }\n\n### 3. Replace Rules\n\nRules for replacing components after scanning. These rules will be applied to the results file after scanning. The post processing happens on the client side.\n\n    {\n        \"bom\": {\n            \"replace\": [\n                {\n                    \"path\": \"/path/to/file\",\n                    \"purl\": \"pkg:npm/vue@2.6.12\",\n                    \"replace_with\": \"pkg:npm/vue@2.6.14\",\n                    \"license\": \"MIT\",\n                    \"comment\": \"Optional comment\"\n                }\n            ]\n        }\n    }\n\n\n# Matching Rules\n\n\n1. **Full Match**: Requires both PATH and PURL to match. It means the rule will be applied ONLY to the specific file with the matching PURL and PATH.\n2. **Partial Match**: Matches based on either:\n   - PURL only (PATH is optional). It means the rule will be applied to all files with the matching PURL.\n \nExample Configuration\n---------------------\n\nHere's a complete example showing all sections:\n\n\n    {\n        \"bom\": {\n            \"include\": [\n                {\n                    \"path\": \"src/lib/component.js\",\n                    \"purl\": \"pkg:npm/lodash@4.17.21\",\n                    \"comment\": \"Include lodash dependency\"\n                }\n            ],\n            \"remove\": [\n                {\n                    \"purl\": \"pkg:npm/deprecated-pkg@1.0.0\",\n                    \"comment\": \"Remove deprecated package\" \n                }\n            ],\n            \"replace\": [\n                {\n                    \"path\": \"src/utils/helper.js\",\n                    \"purl\": \"pkg:npm/old-lib@1.0.0\",\n                    \"replace_with\": \"pkg:npm/new-lib@2.0.0\",\n                    \"license\": \"MIT\",\n                    \"comment\": \"Upgrade to newer version\"\n                }\n            ]\n        }\n    }\n\nUsage\n-----\n\nYou can add your 'scanoss.json' on the root of your project\n\n\n# Command Line Interface (CLI)\n\nSBOM Workbench includes a CLI for managing configuration without launching the graphical interface. This is useful for automation, scripting, and headless environments.\n\n## Getting Help\n\n```bash\n# Show all available commands\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage --help\n```\n\n## Platform Notes\n\n### Windows\n\nOn Windows, Electron applications run as GUI processes without a console attached by default. This means:\n\n- **Commands that modify configuration work correctly** (`config init`, `config api add`, `config api rm`, `config api default`)\n- **Commands that display output won't show results** (`--help`, `--version`, `config api list`) - there is no visible output in cmd.exe or PowerShell\n\n**Windows examples:**\n```cmd\n:: Initialize configuration\nsbom-workbench-1.27.0-win-x64-app.exe config init\n\n:: Add an API\nsbom-workbench-1.27.0-win-x64-app.exe config api add --url=https://api.scanoss.com --key=YOUR_API_KEY --default\n\n:: Remove an API by index\nsbom-workbench-1.27.0-win-x64-app.exe config api rm --index=1\n\n:: Set default API\nsbom-workbench-1.27.0-win-x64-app.exe config api default --index=0\n```\n\n\u003e **Tip:** To view your configured APIs on Windows, open `%USERPROFILE%\\.scanoss\\sbom-workbench-settings.json` in a text editor.\n\n### Linux / macOS\n\nOn Linux and macOS, CLI output displays normally in the terminal. Both parameter syntaxes work:\n\n```bash\n# Space syntax\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage config api add --url https://api.scanoss.com --key YOUR_API_KEY\n\n# Equals syntax (also works)\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage config api add --url=https://api.scanoss.com --key=YOUR_API_KEY\n```\n\n#### Ubuntu 24.04+\n\nOn Ubuntu 24.04 and newer, the AppImage sandbox may not work due to kernel restrictions. If you encounter sandbox errors, disable it by setting the environment variable:\n\n```bash\nexport ELECTRON_DISABLE_SANDBOX=1\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage config init\n```\n\n## Configuration Commands\n\n### Initialize Configuration\n\nCreates the default configuration file at `~/.scanoss/sbom-workbench-settings.json`:\n\n```bash\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage config init\n```\n\n\u003e **Note:** This command will fail if a configuration file already exists.\n\n### API Management\n\nThe CLI allows you to manage multiple API configurations for connecting to different SCANOSS servers.\n\n#### List Configured APIs\n\nDisplay all configured APIs with their indices:\n\n```bash\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage config api list\n```\n\n**Example output:**\n```\nConfigured APIs:\n[0] https://api.scanoss.com [key set] (default)\n[1] https://custom.scanoss-server.com\n```\n\n#### Add an API\n\nAdd a new API configuration:\n\n```bash\n# Add API with URL only (public SCANOSS API)\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage config api add --url https://api.scanoss.com\n\n# Add API with URL and API key\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage config api add --url https://api.scanoss.com --key YOUR_API_KEY\n\n# Add API and set it as the default\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage config api add --url https://custom.server.com --key YOUR_KEY --default\n```\n\n#### Remove an API\n\nRemove an API configuration by its index:\n\n```bash\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage config api rm --index 1\n```\n\n\u003e **Note:** If you remove the default API, the default will automatically be adjusted to the last available API.\n\n#### Set Default API\n\nChange which API is used by default:\n\n```bash\n./sbom-workbench-1.27.0-linux-x86_64-app.AppImage config api default --index 0\n```\n\n## [Collaborative Workspace](COLLAB_WORKSPACE.md)\n\nThe SBOM Workbench includes support for a collaborative workspace, a feature designed to enhance teamwork. View more details [here](COLLAB_WORKSPACE.md).\n\n\n## Code Viewer Keyboard Shortcuts\n\nThe code viewer supports the following keyboard shortcuts for zooming:\n\n| Action | macOS | Windows/Linux |\n|--------|-------|---------------|\n| Zoom In | `Cmd + +` | `Ctrl + +` |\n| Zoom Out | `Cmd + -` | `Ctrl + -` |\n| Reset Zoom | `Cmd + 0` | `Ctrl + 0` |\n\nYou can also zoom using `Ctrl/Cmd + Mouse Wheel`. Press `F1` to open the command palette and see all available commands.\n\n## Contributing\n\nSBOM Workbench is an open source project, and we love to receive contributions from our community. There are many ways to contribute. For more information see the [Contributing Guide](CONTRIBUTING.md) and [Code of Conduct](CODE_OF_CONDUCT.md).\n\n## Docs\n\nThis project was made using Electron React Boilerplate\n\nSee [docs and guides here](https://electron-react-boilerplate.js.org/docs/installation)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscanoss%2Fsbom-workbench","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscanoss%2Fsbom-workbench","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscanoss%2Fsbom-workbench/lists"}