awesome-sbom
A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles
https://github.com/awesomeSBOM/awesome-sbom
Last synced: about 23 hours ago
JSON representation
-
Official projects
-
Tools (and [classification](https://ntia.gov/sites/default/files/publications/ntia_sbom_tooling_taxonomy-2021mar30_0.pdf))
-
Articles and Blogs
- Wikipedia - Official Wikipedia Page
- NTIA - Official National Telecommunications and Information Administration Page
- What is an SBOM? - The Linux Foundation Article
-
Repositories
- Cosign SBOM Spec
- Snyk provider
- Interlynk SBOM Find and Pull
- CycloneDX Specification
- CycloneDX BOM Examples
- dlorenc/sbom-oci
- CycloneDX/cyclonedx-maven-plugin
- Interlynk SBOM Grep
- Snyk SBOM Checker
- tern-tools/tern
- microsoft/sbom-tool
- SwiftBOM - generate SBOMs
- API - cli)
- anchore/syft
- Interlynk SBOM Quality Score
- Aqua Trivy
- Google osv-scanner
- Interlynk SBOM Assembler
-
-
Articles and Blogs
-
Security Tools
- Nisha Kumar and Allan Friedman - RSAC DevOps connect keynote
- Rose Judge on using Tern to generate a SBoM for containers
- The world needs a software bill of materials
- Easily and Quickly Build an Accurate Open Source Inventory
- Create a Cybersecurity Bill of Materials
- What is an SBOM, and why should you Care??
- Are you ready with your SBOM ? Think again !
- Creating a Software Supply Chain Landscape
- Analysis of a spdx-sbom-generator generated SBOM
- Creating an SBOM for a golang app using spdx-sbom-generator
- Analysis of a cyclonedx-gomod generated SBOM
- Creating an SBOM for a golang app using cyclonedx-gomod
- What an SBOM Can Do for You
- How to create SBOMs in Java with Maven and Gradle - Snyk blog
- Comparing SBOM Standards: SPDX vs. CycloneDX
- Top 10 Things You Should Know About Using SBOM to Secure Industrial IoT Devices - Red Alert Labs
- Are SBOMs Any Good? Preliminary Measurement of the Quality of Open Source Project SBOMs
- Software Dark Matter is the Enemy of Software Transparency
- The Minimum Elements For a Software Bill of Materials (SBOM)
- What Makes a Good SBOM?
- The Linux Foundation’s Software Bill of Materials (SBOM) and Cybersecurity Readiness Report
- When will SBOMs finally benefit the federal government’s software supply chain?
- Are SBOMs good enough for government work?
- Not All SBOMs Are Created Equal
- Software Bill of Materials Required by 2021 Cyber Security Executive Order
- BOM 101 – All the questions you were afraid to ask Software Bill of Materials
- What is a software bill of materials?
- What is an SBOM, and why should you Care??
- Software Bill of Materials Required by 2021 Cyber Security Executive Order
-
-
CycloneDX
-
SPDX
-
Videos
-
Security Tools
- Mentorship Session: Generating Software Bill Of Materials
- Software Bill of Materials: How to generate an SBOM from container images using Syft
- SwiftBOM - generate SBOMs for PoC efforts and demos
- Kubernetes Atlanta Meetup - Nov 2021 - SBOMs Container Signing and Verification, Intro to Gatekeeper
- FOSDEM 2023 - The 7 key ingredients of a great SBOM
- Kubernetes Atlanta Meetup - Nov 2021 - SBOMs Container Signing and Verification, Intro to Gatekeeper
- SwiftBOM - generate SBOMs for PoC efforts and demos
-
-
Slides
-
Security Tools
-
-
Podcasts
-
Security Tools
-
-
Benchmarks
-
Security Tools
-
-
Community Repositories
-
Repositories
-
Security Tools
- sbom-scorecard - Generate a score for your sbom to understand if it will actually be useful.
- parlay - Enrich SBOMs with data from third party services
- bomber - bomber is an application that scans SBoMs for security vulnerabilities.
- NTIA Conformance Checker - Check SPDX SBOM for NTIA minimum elements
-
Categories
Sub Categories
Keywords
sbom
17
cyclonedx
13
spdx
13
golang
7
sbom-tool
6
go
6
bom
5
owasp
5
saasbom
5
software-bill-of-materials
5
sbom-generator
5
devsecops
4
docker
4
containers
4
vex
4
security-tools
4
mbom
4
bill-of-materials
4
package-url
4
sbom-examples
3
obom
3
supply-chain
3
gomodule
3
purl
3
security
3
supply-chain-security
3
devsecops-pipeline
2
oss-compliance
2
kubernetes
2
supplychain
2
license
2
package-manager
2
dependencies
2
compliance
2
sbom-samples
2
specification
2
sca
2
oci
2
vulnerability-scanners
2
cbom
2
tool
2
oss
2
software
1
machine-learning
1
cpe
1
standard
1
ospo
1
open-source-licensing
1
license-management
1
dora
1