https://github.com/sktelecom/sbom-tools
BomLens — a local-first SBOM generator & open-source risk assessor (CycloneDX). Produce an SBOM, an open-source notice, and a security/license risk report from source code, containers, binaries, firmware, or an SBOM you received. CLI or web UI, no SaaS.
https://github.com/sktelecom/sbom-tools
cdxgen cyclonedx devsecops docker firmware-analysis license-compliance open-source-security sbom sbom-generator sca software-bill-of-materials supply-chain-security syft trivy vulnerability-scanning
Last synced: 14 days ago
JSON representation
BomLens — a local-first SBOM generator & open-source risk assessor (CycloneDX). Produce an SBOM, an open-source notice, and a security/license risk report from source code, containers, binaries, firmware, or an SBOM you received. CLI or web UI, no SaaS.
- Host: GitHub
- URL: https://github.com/sktelecom/sbom-tools
- Owner: sktelecom
- License: apache-2.0
- Created: 2026-02-14T07:24:44.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2026-07-01T22:53:53.000Z (15 days ago)
- Last Synced: 2026-07-01T23:11:09.629Z (15 days ago)
- Topics: cdxgen, cyclonedx, devsecops, docker, firmware-analysis, license-compliance, open-source-security, sbom, sbom-generator, sca, software-bill-of-materials, supply-chain-security, syft, trivy, vulnerability-scanning
- Language: Shell
- Homepage: https://sktelecom.github.io/sbom-tools/
- Size: 13.9 MB
- Stars: 6
- Watchers: 0
- Forks: 1
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.en.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.en.md
- Security: SECURITY.en.md
- Support: SUPPORT.md
- Notice: NOTICE
Awesome Lists containing this project
- awesome-MLSecOps - BomLens - first SBOM generator and risk assessor that builds CycloneDX ML-BOMs for HuggingFace models with G7 minimum-elements conformance checks, plus license and known-vulnerability reports | (Open Source Security Tools)
README
> **BomLens** is a local-first SBOM generator and open-source risk assessor. It produces a CycloneDX SBOM, an open-source notice, and a security/license risk report for a single project in seconds — from source code, containers, binaries, firmware, an SBOM you received, or a HuggingFace AI model. CLI or browser UI, no SaaS.
[](https://github.com/sktelecom/sbom-tools/releases)
[](https://github.com/sktelecom/sbom-tools/pkgs/container/bomlens)
[](LICENSE)
[](https://www.bestpractices.dev/projects/13059)
[](https://securityscorecards.dev/viewer/?uri=github.com/sktelecom/sbom-tools)
**Where to start:**
- **Using the tool** — generate an SBOM, an open-source notice, or a security report, or assess a binary or an SBOM you received. Start with [First scan](docs/start/first-scan.md) ([한국어](docs/start/first-scan.ko.md)). On Windows and prefer no command line? [Download BomLens for Windows (.exe)](https://github.com/sktelecom/sbom-tools/releases/latest/download/BomLens-Setup.exe) and double-click — the [no-CLI quick start](docs/start/no-cli.md) ([한국어](docs/start/no-cli.ko.md)) walks through it.
- **Contributing to the tool itself** — building the image, the pipeline internals, or adding a package manager? See [CONTRIBUTING](CONTRIBUTING.en.md) and the [architecture](docs/concepts/architecture.md).
A Docker engine is required either way; the free [Rancher Desktop](https://rancherdesktop.io/) works well on Windows.
One Docker image, two jobs:
- **Generate** — scan your source code (or a container image / binary) and produce a CycloneDX SBOM, an open-source notice, and a security report.
- **Assess open-source risk** — analyze what you *receive*, including a supplier's finished SBOM or a firmware binary, and produce an open-source risk report (licenses + known vulnerabilities, with Critical-7d / High-30d remediation deadlines).
Every scan also emits the risk report by default. Run it from a browser UI (or the desktop app), or from the CLI. Originally built by SK Telecom for supply-chain security, now open source.
Languages: Java, Python, Node.js, Ruby, PHP, Rust, Go, .NET, C/C++ (Conan/vcpkg, or `--identify-vendored` for sources with no package manager). Inputs: source folder, GitHub URL, ZIP archive, Docker image, binary/RootFS, existing SBOM, firmware, and a HuggingFace AI model (CycloneDX ML-BOM).

## Quick Start
Everything runs on a Docker engine (20.10+). On Windows, free [Rancher Desktop](https://rancherdesktop.io/) works well, or WSL2 + docker-ce (fully free); Docker Desktop also works, with licensing caveats for larger organizations. The desktop app and web UI manage the image for you — only the CLI asks you to pull it.
### Desktop app — no command line (recommended)
Download the installer and double-click it — [BomLens-Setup.exe](https://github.com/sktelecom/sbom-tools/releases/latest/download/BomLens-Setup.exe) for Windows or [BomLens-Setup.dmg](https://github.com/sktelecom/sbom-tools/releases/latest/download/BomLens-Setup.dmg) for macOS. It checks Docker, pulls the image, and opens the UI — no console window. The app is unsigned for now: on Windows, if SmartScreen warns, click **More info**, then **Run anyway**; on macOS, if it says the app is damaged, see [If macOS says the app is damaged](docs/start/no-cli.md#if-macos-says-the-app-is-damaged) to clear the quarantine flag. Build details are in [`electron/`](electron/README.md).

A common case is a source ZIP handed to you by a dev team. The [no-CLI quick start](docs/start/no-cli.md) ([한국어](docs/start/no-cli.ko.md)) walks a non-developer through it click by click.
### Web UI
Launch, scan, and download in the browser; live logs stream as it runs.
```bash
git clone https://github.com/sktelecom/sbom-tools.git && cd sbom-tools
./scripts/scan-sbom.sh --ui # opens http://localhost:8080; results save to the current folder
# Windows: double-click scripts\sbom-ui.bat
```
Enter a project name and version, pick a scan target (current folder, GitHub URL, ZIP, SBOM, firmware upload, or Docker image), click Run scan, then view or download the results.

### CLI (advanced)
```bash
docker pull ghcr.io/sktelecom/bomlens:latest # aliases: sbom-generator and sbom-scanner serve the same image
./scripts/scan-sbom.sh --project MyApp --version 1.0.0 --all --generate-only
```
On Windows, run the same command through `scripts\scan-sbom.bat` (Git for Windows required). Other inputs — GitHub URL, source archive, Docker image, firmware — and every option are in the [input-scenarios guide](docs/guides/by-input.md) and the [CLI reference](docs/reference/cli.md).
Outputs (`{Project}_{Version}_…`): `bom.json` (SBOM), `NOTICE.{txt,html}`, `risk-report.{md,html}` (default), and `security.{json,md,html}` (Trivy).
## Documentation
The full docs — getting started, task guides, reference, and concepts — are a navigable site at **[sktelecom.github.io/sbom-tools](https://sktelecom.github.io/sbom-tools/)** (search, sidebar, English/Korean). The same content lives under [docs/](docs/) in this repo. The site and the web UI are bilingual, English by default with Korean available.
A few entry points:
- [First scan](docs/start/first-scan.md) — install and your first SBOM (web UI + CLI)
- [No-CLI quick start](docs/start/no-cli.md) ([한국어](docs/start/no-cli.ko.md)) — desktop app or `.bat`, for non-developers
- [CLI reference](docs/reference/cli.md) — every option and environment variable
- [Input scenarios](docs/guides/by-input.md) — GitHub URL, ZIP, local source, existing SBOM, firmware
- [Architecture](docs/concepts/architecture.md) — the two-stage pipeline; maintainer design notes live under [docs/internal/](docs/internal/) (Korean)
## Contributing & License
Issues and PRs welcome — see [CONTRIBUTING.md](CONTRIBUTING.en.md) ([한국어](CONTRIBUTING.md)) and [GitHub Issues](https://github.com/sktelecom/sbom-tools/issues).
Apache License 2.0 · © 2026 SK Telecom Co., Ltd. Bundled third-party tools keep their own licenses — see [NOTICE](NOTICE) and [THIRD_PARTY_LICENSES.md](THIRD_PARTY_LICENSES.md).