{"id":44598553,"url":"https://github.com/sktelecom/sbom-tools","last_synced_at":"2026-07-03T06:01:15.029Z","repository":{"id":338390504,"uuid":"1157720466","full_name":"sktelecom/sbom-tools","owner":"sktelecom","description":"BomLens — a local-first SBOM generator \u0026 open-source risk assessor (CycloneDX). Produce an SBOM, an open-source notice, and a security/license risk report from source code, containers, binaries, firmware, or an SBOM you received. CLI or web UI, no SaaS.","archived":false,"fork":false,"pushed_at":"2026-07-01T22:53:53.000Z","size":14583,"stargazers_count":6,"open_issues_count":8,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-01T23:11:09.629Z","etag":null,"topics":["cdxgen","cyclonedx","devsecops","docker","firmware-analysis","license-compliance","open-source-security","sbom","sbom-generator","sca","software-bill-of-materials","supply-chain-security","syft","trivy","vulnerability-scanning"],"latest_commit_sha":null,"homepage":"https://sktelecom.github.io/sbom-tools/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sktelecom.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.en.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.en.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.en.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-14T07:24:44.000Z","updated_at":"2026-07-01T22:53:29.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/sktelecom/sbom-tools","commit_stats":null,"previous_names":["sktelecom/sbom-tools"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/sktelecom/sbom-tools","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sktelecom%2Fsbom-tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sktelecom%2Fsbom-tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sktelecom%2Fsbom-tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sktelecom%2Fsbom-tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sktelecom","download_url":"https://codeload.github.com/sktelecom/sbom-tools/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sktelecom%2Fsbom-tools/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35074237,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-03T02:00:05.635Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cdxgen","cyclonedx","devsecops","docker","firmware-analysis","license-compliance","open-source-security","sbom","sbom-generator","sca","software-bill-of-materials","supply-chain-security","syft","trivy","vulnerability-scanning"],"created_at":"2026-02-14T09:09:16.229Z","updated_at":"2026-07-03T06:01:15.023Z","avatar_url":"https://github.com/sktelecom.png","language":"Shell","funding_links":[],"categories":["Open Source Security Tools","Ruby"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/images/logo.svg\" alt=\"BomLens — an SBOM generator\" width=\"300\" /\u003e\n\u003c/p\u003e\n\n\u003e **BomLens** is a local-first SBOM generator and open-source risk assessor. It produces a CycloneDX SBOM, an open-source notice, and a security/license risk report for a single project in seconds — from source code, containers, binaries, firmware, an SBOM you received, or a HuggingFace AI model. CLI or browser UI, no SaaS.\n\n[![GitHub release](https://img.shields.io/github/v/release/sktelecom/sbom-tools?style=flat-square)](https://github.com/sktelecom/sbom-tools/releases)\n[![Container image](https://img.shields.io/badge/ghcr.io-bomlens-2496ED?style=flat-square\u0026logo=docker\u0026logoColor=white)](https://github.com/sktelecom/sbom-tools/pkgs/container/bomlens)\n[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg?style=flat-square)](LICENSE)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/13059/badge)](https://www.bestpractices.dev/projects/13059)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sktelecom/sbom-tools/badge)](https://securityscorecards.dev/viewer/?uri=github.com/sktelecom/sbom-tools)\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/images/web-ui-demo.gif\" alt=\"BomLens web UI showing a scan result: the Overview with counts and a severity/license summary, the Components table with filters, the Vulnerabilities list, the Dependencies as a graph and tree, and the Licenses section\" width=\"860\" /\u003e\n\u003c/p\u003e\n\n**Where to start:**\n\n- **Using the tool** — generate an SBOM, an open-source notice, or a security report, or assess a binary or an SBOM you received. Start with [First scan](docs/start/first-scan.md) ([한국어](docs/start/first-scan.ko.md)). On Windows and prefer no command line? [Download BomLens for Windows (.exe)](https://github.com/sktelecom/sbom-tools/releases/latest/download/BomLens-Setup.exe) and double-click — the [no-CLI quick start](docs/start/no-cli.md) ([한국어](docs/start/no-cli.ko.md)) walks through it.\n- **Contributing to the tool itself** — building the image, the pipeline internals, or adding a package manager? See [CONTRIBUTING](CONTRIBUTING.en.md) and the [architecture](docs/concepts/architecture.md).\n\nA Docker engine is required either way; the free [Rancher Desktop](https://rancherdesktop.io/) works well on Windows.\n\nOne Docker image, two jobs:\n\n- **Generate** — scan your source code (or a container image / binary) and produce a CycloneDX SBOM, an open-source notice, and a security report.\n- **Assess open-source risk** — analyze what you *receive*, including a supplier's finished SBOM or a firmware binary, and produce an open-source risk report (licenses + known vulnerabilities, with Critical-7d / High-30d remediation deadlines).\n\nEvery scan also emits the risk report by default. Run it from a browser UI (or the desktop app), or from the CLI. Originally built by SK Telecom for supply-chain security, now open source.\n\nLanguages: Java, Python, Node.js, Ruby, PHP, Rust, Go, .NET, C/C++ (Conan/vcpkg, or `--identify-vendored` for sources with no package manager). Inputs: source folder, GitHub URL, ZIP archive, Docker image, binary/RootFS, existing SBOM, firmware, and a HuggingFace AI model (CycloneDX ML-BOM).\n\n![BomLens web UI — name a project, pick a scan target, and choose what to generate (SBOM, open-source notice, security report)](docs/images/web-ui-en.png)\n\n## Quick Start\n\nEverything runs on a Docker engine (20.10+). On Windows, free [Rancher Desktop](https://rancherdesktop.io/) works well, or WSL2 + docker-ce (fully free); Docker Desktop also works, with licensing caveats for larger organizations. The desktop app and web UI manage the image for you — only the CLI asks you to pull it.\n\n### Desktop app — no command line (recommended)\n\nDownload the installer and double-click it — [BomLens-Setup.exe](https://github.com/sktelecom/sbom-tools/releases/latest/download/BomLens-Setup.exe) for Windows or [BomLens-Setup.dmg](https://github.com/sktelecom/sbom-tools/releases/latest/download/BomLens-Setup.dmg) for macOS. It checks Docker, pulls the image, and opens the UI — no console window. The app is unsigned for now: on Windows, if SmartScreen warns, click **More info**, then **Run anyway**; on macOS, if it says the app is damaged, see [If macOS says the app is damaged](docs/start/no-cli.md#if-macos-says-the-app-is-damaged) to clear the quarantine flag. Build details are in [`electron/`](electron/README.md).\n\n![BomLens desktop app — the startup screen shows Docker checks, image download progress, and container startup](docs/images/desktop-startup-en.png)\n\nA common case is a source ZIP handed to you by a dev team. The [no-CLI quick start](docs/start/no-cli.md) ([한국어](docs/start/no-cli.ko.md)) walks a non-developer through it click by click.\n\n### Web UI\n\nLaunch, scan, and download in the browser; live logs stream as it runs.\n\n```bash\ngit clone https://github.com/sktelecom/sbom-tools.git \u0026\u0026 cd sbom-tools\n./scripts/scan-sbom.sh --ui     # opens http://localhost:8080; results save to the current folder\n#   Windows: double-click scripts\\sbom-ui.bat\n```\n\nEnter a project name and version, pick a scan target (current folder, GitHub URL, ZIP, SBOM, firmware upload, or Docker image), click Run scan, then view or download the results.\n\n![BomLens web UI — reviewing a finished scan: needs-attention, component and vulnerability counts, the severity distribution and the license summary](docs/images/web-ui-scan-en.png)\n\n### CLI (advanced)\n\n```bash\ndocker pull ghcr.io/sktelecom/bomlens:latest   # aliases: sbom-generator and sbom-scanner serve the same image\n./scripts/scan-sbom.sh --project MyApp --version 1.0.0 --all --generate-only\n```\n\nOn Windows, run the same command through `scripts\\scan-sbom.bat` (Git for Windows required). Other inputs — GitHub URL, source archive, Docker image, firmware — and every option are in the [input-scenarios guide](docs/guides/by-input.md) and the [CLI reference](docs/reference/cli.md).\n\nOutputs (`{Project}_{Version}_…`): `bom.json` (SBOM), `NOTICE.{txt,html}`, `risk-report.{md,html}` (default), and `security.{json,md,html}` (Trivy).\n\n## Documentation\n\nThe full docs — getting started, task guides, reference, and concepts — are a navigable site at **[sktelecom.github.io/sbom-tools](https://sktelecom.github.io/sbom-tools/)** (search, sidebar, English/Korean). The same content lives under [docs/](docs/) in this repo. The site and the web UI are bilingual, English by default with Korean available.\n\nA few entry points:\n\n- [First scan](docs/start/first-scan.md) — install and your first SBOM (web UI + CLI)\n- [No-CLI quick start](docs/start/no-cli.md) ([한국어](docs/start/no-cli.ko.md)) — desktop app or `.bat`, for non-developers\n- [CLI reference](docs/reference/cli.md) — every option and environment variable\n- [Input scenarios](docs/guides/by-input.md) — GitHub URL, ZIP, local source, existing SBOM, firmware\n- [Architecture](docs/concepts/architecture.md) — the two-stage pipeline; maintainer design notes live under [docs/internal/](docs/internal/) (Korean)\n\n## Contributing \u0026 License\n\nIssues and PRs welcome — see [CONTRIBUTING.md](CONTRIBUTING.en.md) ([한국어](CONTRIBUTING.md)) and [GitHub Issues](https://github.com/sktelecom/sbom-tools/issues).\n\nApache License 2.0 · © 2026 SK Telecom Co., Ltd. Bundled third-party tools keep their own licenses — see [NOTICE](NOTICE) and [THIRD_PARTY_LICENSES.md](THIRD_PARTY_LICENSES.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsktelecom%2Fsbom-tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsktelecom%2Fsbom-tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsktelecom%2Fsbom-tools/lists"}