Web SCA service that analyzes CycloneDX or SPDX SBOMs (or lockfiles) to flag open-source vulnerabilities and license issues, sending real-time alerts without requiring code access or signup.
GitHub Action that builds a CycloneDX SBOM for Node.js, Python, Go, Ruby, Java, .NET and PHP projects, converts it to v1.2 when necessary, and uploads it to an OWASP Dependency-Track server for automatic vulnerability analysis.
Generate AI SBOM (AIBOM, AI/ML-BOM) in CycloneDX format for models on Hugging Face.
Amazon Inspector SBOM Generator (inspector-sbomgen) outputs CycloneDX 1.4 or SPDX 2.3 SBOMs for archives, container images, directories, local systems, and Go/Rust binaries, providing metadata for vulnerability scans with the Inspector ScanSBOM API.
Application Security Posture Management (ASPM) platform that proactively identifies and remediates critical risks in cloud-native applications across the software supply chain.
Build OCI images using APK directly without Dockerfile. Generates CycloneDX SBOMs for containers using native SBOM functionality in apk-tools v3.0 and higher.
Python tool that builds a Software Bill of Materials (SBOM) from APT and Python package information on Ubuntu systems, with CLI and HTTP interfaces.
SaaS platform that automates software supply-chain security; offers free, always-up-to-date SBOM generation in CycloneDX format plus risk analysis and CI/CD integrations.
Free online toolset that builds AI-powered SBOMs and SaaSBOMs for COTS, OSS, code repos and container images, then analyzes vulnerabilities, licenses and outdated components to surface software-supply-chain risk.
asdf plugin that installs and manages CycloneDX CLI versions, enabling SBOM tooling in any asdf-managed environment.
Athena is a SaaS solution for medical device makers that overlays the product development lifecycle to address risks before devices go to market.
Audits JavaScript projects to identify known vulnerabilities and outdated package versions using the OSS Index v3 REST API
Beniva SBOM allows you to consume CycloneDX SBOM and Vulnerability Exploitability eXchange (VEX) within the ServiceNow platform which increases visibility of vulnerabilities and reduces time to remediate.
Integrate this Bitbucket Pipe into your CI/CD pipeline to automatically generate a Software Bill of Materials (SBOM) for any project.
Black Duck is Synopsys’ SCA platform that generates CycloneDX/SPDX SBOMs, detects open-source vulnerabilities, and automates license and policy compliance across applications, containers and CI/CD pipelines.
Software composition analysis (SCA) and security testing solution that detects and lists open-source software and licenses in embedded systems and their cybersecurity vulnerabilities and exposures.
A command line tool to manage SBOM and VEX like source code and to distribute SBOMs to notaries.
A lightweight repository server used to publish, manage, and distribute CycloneDX SBOMs.
CLI scanner that analyses CycloneDX, SPDX or Syft SBOMs for security vulnerabilities and licence issues using OSV, Sonatype OSS Index, GitHub Advisory or Snyk providers.
CLI and Nix library that generates CycloneDX v1.5 SBOMs for Nix packages, including build-time and vendored dependencies, compliant with BSI TR-03183 and US EO 14028.
A server application for managing and distributing SBOMs and CSAF documents. Integrates with tools for vulnerability scanning.
BOMSkope is a Software Bill of Materials manager designed to streamline the tracking of vendor components. It enables the identification and monitoring of vulnerabilities in vendor software, enhancing visibility into your overall security posture.
Open-source Go library and CLI that captures build metadata and outputs CycloneDX SBOMs for Java, Node.js, .NET, Go, Python and more.
Bytesafe is a dependency firewall and SCA platform that blocks malicious packages, scans for vulnerabilities, enforces license policies, and generates CycloneDX SBOMs to secure the software supply chain.
CaPyCli is an MIT-licensed Python CLI that generates, compares, merges and converts CycloneDX SBOMs for several language ecosystems and maps them to a SW360 component database.
CAST Highlight automatically analyzes source code portfolios for open-source risks, cloud readiness, resiliency, green impact and technical debt, and can import CycloneDX SBOMs for instant SCA insights.
CAST SBOM Manager automates creation, customization and maintenance of SBOMs, adds vulnerability and license insights, and exports them in CycloneDX, Excel and Word with a free tier up to 25 SBOMs.
A Web Service to visualize and explore the use of cryptography in software with Cryptography Bills of Materials (CBOM).
CBOMkit is a toolset for generating, viewing, checking, and storing Cryptography Bills of Materials (CBOM).
A tool that detects cryptographic assets in container images and directories, generating CBOMs.
CLI utility that downloads public CycloneDX SBOMs from Maven Central for selected artifacts.
Enriches a CycloneDX Software Bills of Material (SBOM) with predefined data.
GTK-style Python GUI that compares two CycloneDX JSON SBOMs, highlighting components unique to each file and those present in both.
Universal polyglot CLI, library and server that generates CycloneDX SBOMs—including SaaSBOM, OBOM and CBOM variants—for source code, container images and cloud resources.
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, QA reports, and more.
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew. Can output to CycloneDX.
Dependency vulnerability auditor for Ruby
CAS is an open source attestation service for the community. Notarize and authorize files, directories, git repos and Build SBOMs of containers.
A GitHub Action which authenticates notarized Docker images and SBOMs.
A GitHub Action which notarizes and creates an SBOM for Docker images.
Protects an organization's software development pipeline from supply chain attacks. Codenotary natively supports CycloneDX SBOMs.
Software Composition Analysis (SCA) platform that leverages binary analysis to identify components, inherited risk, and communicates inventory through CycloneDX SBOMs
Scans third-party OSS components in NPM, NuGet, Maven, Python and Debian projects, generates CycloneDX SBOMs, then uploads them to SW360 and Fossology for automated license clearing.
Automatically generates component inventory from runtime analysis (IAST or RASP) and generates CycloneDX SBOMs
Container Signing, Verification and Storage in an OCI registry, including CycloneDX SBOMs
Command-line tool that creates SBOMs from .NET and NPM projects or existing CycloneDX BOMs, outputting CycloneDX or SPDX formats.
Detect and mitigate vulnerabilities in embedded systems. Generate SBOMs, cross-reference public databases, integrate with CI pipelines, and use filtering/annotations for streamlined security maintenance.
Command-line scanner that identifies vulnerable components in binaries, accepts/generates SBOMs, and reports CVEs. Supports 400+ checkers for open source libraries with CycloneDX output.
Software Composition Analysis (SCA) platform that identifies vulnerabilities, malicious code, and license risks in open-source libraries with exploitable path analysis and SBOM generation capabilities.
Enterprise solution to manage SBOMs at scale and proactively discover and reduce risk across the entire software supply chain, from development through deployment.
Analyzes binary artifacts to generate SBOMs including context-based analysis to perform accurate vulnerability assessment
Cyberwatch Vulnerability Manager allows you to discover assets, scan and prioritize vulnerabilities, and fix them.
GitHub Action to create a CycloneDX Software Bill-of-Materials (SBOM) for .NET projects supporting multiple project formats and recursive analysis
CLI tool for SBOM analysis, merging, diffs, format conversions, signing, and validation. Supports CycloneDX XML/JSON/Protobuf/CSV, SPDX JSON, and more.
Java library for creating, parsing, and validating CycloneDX SBOMs.
Generates CycloneDX Software Bill of Materials (SBOM) from .NET projects.
Creates CycloneDX Software Bill of Materials (SBOM) from JavaScript projects that manage dependencies with Bower.
Creates CycloneDX SBOMs for Objective-C and Swift projects that use CocoaPods.
Creates CycloneDX Software Bill of Materials (SBOM) for C/C++ projects using Conan1 (note: considered deprecated)
Creates CycloneDX Software Bill of Materials (SBOM) for C/C++ projects using Conan2
Mix task that generates CycloneDX SBOMs for Erlang/Elixir projects, exporting XML or JSON and supporting multiple CycloneDX schema versions.
Rebar3 plug-in that generates CycloneDX SBOMs for Erlang/Elixir projects, exporting XML or JSON and supporting CycloneDX v1.4.
Command-line utility and Go library that generates CycloneDX SBOMs from Go module projects for supply-chain transparency.
Command-line utility and Go library that generates CycloneDX SBOMs from Go modules, binaries and applications.
Gradle plugin that generates CycloneDX SBOMs (XML or JSON) for all dependencies in Java-based builds.
Apache Maven plugin that automatically generates CycloneDX SBOMs (JSON or XML) for Java projects and can attach vulnerability disclosure information.
This is a so-called meta-package, it does not ship any own functionality, but it is a collection of optional dependencies with one purpose in common: generate CycloneDX Software-Bill-of-Materials (SBOM) from node-based projects.
Create CycloneDX Software Bill of Materials (SBOM) from npm projects.
Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects.
Generates CycloneDX SBOMs from Python (virtual) environments, requirement files, and manifests (Poetry, PipEnv, etc)
Command-line utility and Ruby library that generates CycloneDX SBOMs for Ruby projects by analysing Gem dependencies.
Cargo sub-command and CLI library that generates CycloneDX SBOMs for Rust projects, aggregating all crate dependencies and outputting JSON or XML.
SBT plugin that generates CycloneDX SBOMs (JSON or XML) for Scala/Java builds, supporting schema v1.6 and integrating smoothly with Dependency-Track.
Webpack plugin that generates CycloneDX Software Bill of Materials (SBOM) for JavaScript/TypeScript bundles during the build process.
Create CycloneDX Software Bill of Materials (SBOM) from yarn projects.
GitHub action which generates CycloneDX SBOMs from Go modules, providing integration into CI/CD workflows for Go projects.
Core functionality of CycloneDX for JavaScript (Node.js or Web Browser) written in TypeScript.
.NET libraries to consume and produce CycloneDX Software Bill of Materials (SBOM).
Go library that can parse, create and serialize CycloneDX Software Bill of Materials (SBOM) in JSON or XML.
GitHub Action to create a CycloneDX Software Bill-of-Materials (SBOM) for Node.js projects containing an aggregate of all project dependencies. (note: considered deprecated)
Perl library for generating CycloneDX SBOMs.
GitHub Action to create a CycloneDX Software Bill-of-Materials (SBOM) for PHP Composer projects (note: considered deprecated)
PHP library that supplies data-models, serializers, validators and utilities for creating, parsing and validating CycloneDX BOM documents in JSON and XML formats.
GitHub Action to create a CycloneDX Software Bill-of-Materials (SBOM) for Python projects from requirements files (note: considered deprecated)
This Python package provides data models, validators and more, to help you create/render/read CycloneDX documents.
Simple Rust library to encode and decode CycloneDX BOMs.
Web-based tool for validating, viewing, and converting CycloneDX SBOMs. Supports XML/JSON, and conversion between CycloneDX and SPDX formats.
Extensible Stylesheet Language Transformations (XSLT) to translate CycloneDX dependency graph to mermaid chart.
Python application that generates CycloneDX Software Bill of Materials (SBOM) for Buildroot-generated projects and other projects with CSV manifest files
Command-line utility to create, merge, edit and validate CycloneDX SBOMs and VEX files for automated CI/CD workflows.
Enrich CycloneDX SBOM files by applying enrichers to improve data quality, including licenses, hashes, properties, and references.
Tool to merge CycloneDX files (JSON/XML) with support for normal, flat, and smart merge modes.
Bitbucket Pipe that packages cdxgen in a Docker image to generate CycloneDX v1.6 SBOMs for Node.js/npm projects in CI pipelines.
Vulnerability-scanning application that ingests CycloneDX or SPDX SBOM files, analyses listed dependencies for known CVEs, and presents results through a web dashboard.
Debricked lets teams automatically find, fix and prevent open-source vulnerabilities, avoid non-compliant licences and pick healthier dependencies, with CycloneDX SBOM import/export, CLI and SaaS dashboards.
Open source vulnerability management and automation platform that can import CycloneDX SBOMs and over 190 security tool reports for centralized vulnerability tracking and analysis.
An intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain by leveraging SBOMs
Jenkins plugin that publishes CycloneDX Software Bill-of-Materials (SBOM) to the Dependency-Track platform for vulnerability analysis and policy evaluation
Maven plugin that integrates with a Dependency-Track server to submit SBOMs and optionally fail execution when vulnerable dependencies are found
A command line tool which creates CycloneDX and SPDX SBOMs for an installed application or distribution (Debian, RPM, Windows and FreeBSD systems supported).
Docker CLI plugin that generates Software Bills of Materials (SBOMs) for container images using Syft as the underlying scanner, with CycloneDX output support.
Command-line client for OWASP Dependency-Track that publishes SBOMs and displays vulnerability information from the command line, designed for CI/CD integration
Python CLI tool to upload CycloneDX SBOMs to Dependency-Track, analyze vulnerabilities, enforce policy, and fail CI builds based on thresholds.
Archived tool that scanned project artifacts, downloaded sources for dependencies, validated licenses, and generated license compliance documentation
EMBA is an open-source firmware security analyzer that extracts firmware, performs static and dynamic analysis, builds CycloneDX SBOMs with VEX data, and generates detailed vulnerability reports.
Cloud-native platform that auto-creates CycloneDX SBOMs, generates VEX, and analyzes reachability so teams can securely select, integrate and maintain open-source software at scale.
Application Security Posture Management (ASPM) platform that inventories software assets, tracks AppSec tools and processes, and outputs CycloneDX and SPDX SBOMs with optional VEX ingest.
EXPLIoT is an AGPLv3 Python framework and CLI for assessing and exploiting IoT devices; it offers 140+ plug-ins and can generate CycloneDX SBOMs from firmware filesystems.
The aDolus FACT platform is an advanced aggregation, analytics, and correlation engine that generates NTIA-compliant SBOMs (including CycloneDX) and provides continuous cybersecurity risk intelligence across the software supply chain.
Flawnter is a zero-trust static, dynamic and composition analysis platform that detects code flaws, vulnerabilities and license risks, and generates CycloneDX/SPDX SBOMs during every scan.
SaaS application-security testing platform offering SAST, DAST and SCA. Produces and consumes CycloneDX SBOMs to secure the software supply chain across many languages, frameworks and package managers.
Open-source CycloneDX parser plugin for Fortify SSC that imports SBOMs, correlates components with known vulnerabilities and licenses, and displays them in the SSC portal.
Comprehensive cyber supply chain risk management platform that ingests, analyzes and securely shares SBOMs, HBOMs and other supply chain attestations via SaaS and permissioned blockchain.
A proprietary software analysis tool that validates patches and ensures software file integrity to enhance software supply chain security in critical infrastructure environments.
Subscription SCA platform and CLI that generate, import, analyse, and distribute CycloneDX or SPDX SBOMs for licence and vulnerability risk management across CI/CD pipelines.
Dependency scanning analyzer that uses the GitLab Advisory Database to detect vulnerabilities in project dependencies and generates CycloneDX SBOMs.
GitHub Action to generate CycloneDX Software Bill-of-Materials (SBOM) for Erlang/Elixir Mix projects
CLI extension for the gh tool that generates CycloneDX or SPDX JSON SBOMs for any GitHub repository using Dependency Graph data.
Common utility packages for working with OSS Index, Nexus IQ Server, CycloneDX SBOMs or getting a user-agent
An extensible CycloneDX BOM generator and Dependency-Track API client written in Go; supports Go, npm, CocoaPods and Gradle projects and uploads SBOMs for analysis.
A vulnerability scanner for container images and filesystems. Works with Syft SBOMs and supports CycloneDX, SPDX, and OpenVEX.
Automatically extract or manually upload your Software Bill of Materials (SBOM), and Heimdall will, on a continual basis, identify known vulnerabilities affecting your software components
Risk management platform that enables analysis, exchange and continuous monitoring of Software Bills of Materials (SBOMs) to actively manage third party risk and compliance
ittosai is a CycloneDX SBOM vulnerability analyzer that analyzes SBOMs every time a developer commits code to a repository.
An OSS Index integration to check your Conda environments for vulnerable Open Source packages
jbom generates runtime and static CycloneDX SBOMs for local or remote Java applications and archives.
Network discovery and IT inventory tool that can discover CycloneDX SBOMs on enterprise assets and ingest component inventory into the platform.
Manages machine identities across Cloud Native Kubernetes and OpenShift environments, providing a detailed view of enterprise security posture for TLS certificates and PKI.
Easily identify, map, analyze, and secure cyber assets and attack surface. Gain full visibility into complex cloud environments to uncover threats, close compliance gaps, and prioritize risk.
kbom is an open-source CLI tool from KSOC, written in Go, that generates detailed CycloneDX SBOMs for Kubernetes clusters, including nodes, control plane, OS, and cloud infrastructure details.
Automated firmware analysis platform that generates SBOMs and identifies vulnerabilities, misconfigurations, hardcoded credentials, weak cryptography, and potential zero-day vulnerabilities in IoT devices.
KICS scans Infrastructure-as-Code to detect security vulnerabilities, compliance issues and misconfigurations, exporting results as CycloneDX SBOM and VDR reports.
Simple, fast container image builder for Go applications that generates CycloneDX SBOMs by default, supports multi-platform builds, and integrates seamlessly with Kubernetes.
Application Security Orchestration and Correlation platform that generates and consumes CycloneDX or SPDX SBOMs, correlates vulnerability scanner findings, and automates remediation workflows across CI/CD pipelines.
Open-source platform (CLI, UI & Helm chart) that generates SBOMs, converts them between CycloneDX/SPDX formats, and scans container images, directories and running Kubernetes clusters for vulnerabilities, licences and CIS Docker benchmark findings.
Kyverno is an open-source Kubernetes policy engine that validates, mutates and generates configurations, and can evaluate CycloneDX SBOM attestations to enforce supply-chain policies.
Component that processes CycloneDX SBOMs and container image metadata for Lagoon environments, with vulnerability analysis via Trivy integration and customizable data filtering.
Python library that parses, converts and generates SBOMs in CycloneDX and SPDX formats, allowing JSON, Tag, YAML and XML serialization and programmatic manipulation of packages, files and dependencies.
license-scanner is an Apache-2.0 Go library and CLI that detects SPDX-style licenses and legal terms in source files and outputs CycloneDX v1.4 SBOMs with detailed license data.
Creates license manifests from CycloneDX SBOMs. Provides a Jenkins build step and CLI to list third-party components, their licenses, and download license texts to aid open-source compliance.
Macaron is a supply chain security analysis tool and policy engine that checks conformance to frameworks such as SLSA, integrating CycloneDX SBOM generators or consuming existing SBOMs for automated analysis of build integrity and dependencies.
Manifest is a subscription SBOM management platform that auto-generates, aggregates, enriches, analyzes, and securely shares CycloneDX or SPDX SBOMs via web app and GitHub Action integration.
A simple command line tool to transform CycloneDX SBoMs to markdown.
Consumes SBOMs to help hospitals manage medical device assets, providing vulnerability and resource analysis for compliance and risk management.
Mend SCA provides software composition analysis that scans direct and transitive open-source dependencies, enforces security and license policies, and exports CycloneDX or SPDX SBOMs with optional VEX data.
Export a SBOM of all packages installed on a Linux, macOS or Windows system.
meta-dependencytrack is a Yocto meta-layer which produces a CycloneDX Software Bill of Materials (aka SBOM) from your root filesystem and then uploads it to a Dependency-Track server against the project of your choice
Software composition analysis that inventories codebases and produces CycloneDX SBOMs while detecting security and licence risks across 12+ ecosystems.
A command line tool which produces a human-readable representation of a CycloneDX ML Bill of Materials (MLBOM). Output formats include PDF and Markdown.
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
Neo4Cyclone is a tool that allows you to visualise your SBOMs using Neo4J.
Firmware analysis platform that creates SBOMs by analyzing binary artifacts, configuration files, credentials and cryptographic artifacts for holistic risk identification.
Software Composition Analysis (SCA) platform that can consume, analyze, and produce CycloneDX SBOMs
Publishes CycloneDX SBOMs to Nexus IQ for per-build analysis, result visualization, and policy evaluation
Create and update SBOMs for the Nim programing language. Includes a translation module for the Nimble package manager as well as a Nix expression for building packages from SBOMs.
AI Application Security Platform for the entire AI lifecycle, focusing on AI asset discovery, ML-BOM, and AI supply chain risk management.
Mobile application security testing solution that automates static, dynamic and interactive testing, with SBOM capabilities through GitHub integrations
A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs. Outputs CycloneDX SBOMs and supports policy enforcement.
Oligo Security delivers instant insights into actively executed libraries, assessing open source risks and confirming exploitability. It enables CycloneDX SBOM creation and auto-generates VEX.
Cloud-based platform that automatically extracts firmware images, enumerates components, and produces CycloneDX SBOM and vulnerability reports.
Open-source automated refactoring ecosystem for code transformation, security remediation, and dependency management through reusable recipes and build tool plugins.
A web application for importing, storing, and visualizing CycloneDX SBOMs, allowing organizations to track software components across projects.
A comprehensive suite of tools to automate software compliance checks, analyze dependencies / vulnerabilities, and generate reports.
A tool to import CycloneDX BOMs and visualize open source software statistics for dependency analysis and reporting
Open source vulnerability database and scanner that accepts CycloneDX SBOMs as input and identifies known vulnerabilities in components across multiple ecosystems.
Parlay is an Apache-licensed CLI written in Go that takes CycloneDX 1.4 JSON/XML or SPDX 2.3 SBOMs and enriches them with licence, vulnerability, maintainer and scorecard data from services like ecosyste.ms, Snyk and OpenSSF.
Audits Python environments and dependency trees for known vulnerabilities and can emit CycloneDX SBOMs of affected components.
Unified cloud-native application protection platform that scans code, pipelines, infrastructure and runtime to generate CycloneDX SBOMs, analyze vulnerabilities, licenses and misconfigurations, and secure entitlements across multi-cloud environments.
Cloud-based tool to import, export, view, create, edit, and transform CycloneDX SBOMs and human-readable SBOMs, as well as manage VEX data.
Project Piper is an open-source Jenkins shared library and CLI that automates SAP-centric CI/CD pipelines and can generate CycloneDX SBOMs for Maven, Python, Go, container, and other builds.
PulseUno enables development teams to continually build and inspect the health and quality of code using plugins such as CycloneDX. Teams can use this information for merge, deployment, and release decisions.
Container-optimization platform that scans, profiles and hardens images, generates SBOMs, converts to CycloneDX/SPDX, and exports VEX to prioritize exploitable CVEs.
ReARM is a system to store, organize and manage SBOMs / xBOMs with Component and Product releases.
Open source catalog for storing, managing, and distributing CycloneDX Software Bills of Materials (SBOMs) in JSON format, with features for validation, merging, and analysis.
Publishes and ingests SBOMs for metadata management, compliance, and distribution. Supports CycloneDX and SPDX standards for software supply chain transparency.
Scanner that detects the use of JavaScript libraries with known vulnerabilities in web and Node.js applications and can generate CycloneDX-format SBOMs.
Continuous, runtime-aware SBOM platform that inventories every file, package and dependency across Windows and Linux hosts, containers and CI/CD pipelines, exports CycloneDX/VEX and validates vulnerability exploitability in real time.
Free SaaS repository to discover, store and permission-share CycloneDX v1.4 SBOMs with immutable provenance, VEX support and continuous assurance.
Creates CycloneDX SBOMs for frontend Javascript apps bundled with rollup or vite.
Generates a C/C++ SBOM at build-time without a package manager, working across build environments and reporting on all library dependencies.
Salus is a tool for coordinating the execution of security scanners. Salus can generate CycloneDX SBOMs from many language ecosystems.
sbomasm is a command-line tool that assembles product SBOMs from component SBOMs, supporting CycloneDX and SPDX formats for streamlined management and distribution.
SBOM Benchmark is an Apache-licensed web application that scores CycloneDX 1.4/1.5 and SPDX SBOMs for quality and compliance, generating shareable reports via the sbomqs engine.
Creates CycloneDX SBOMs from Kubernetes Helm charts
sbomex is a command line utility to help query and pull from Interlynk's public SBOM repository.
Command-line utility (`sbomgr`) that performs grep-style searches across SBOMs by name, checksum, CPE, and PURL.
SBOM Insights is a subscription-based SaaS platform that ingests SBOMs in CycloneDX and SPDX formats, reconciles and analyzes components for vulnerabilities, license compliance and outdated parts, and generates reports and compliance artifacts.
SBOM Observer provides a comprehensive SBOM workflow to help you manage your software supply chain. Leverage the powerful combination of the Policy Engine and Operational Model to guarantee the security and compliance of your software.
Command-line utility that evaluates the quality and compliance of CycloneDX and SPDX SBOMs across multiple categories, enabling automated policy gates in CI/CD workflows.
SBOM Scorecard evaluates SBOMs for specification compliance, generation metadata, and package details, supporting CycloneDX, SPDX, and Syft formats.
Go-based CLI and API to validate, query, trim and patch CycloneDX or SPDX BOMs, report on components, licences and vulnerabilities, and handle all CycloneDX variants up to v1.6.
Manage, assess, store and monitor all your vendor’s SBOMs in one secure, centralized dashboard to improve supply chain security.
GitHub Action that fetches and diffs CycloneDX SBOMs for container images, posting comments or opening pull requests when package or vulnerability changes are detected.
SBOM-Manager is an open-source Python CLI that stores, queries, and scans CycloneDX 1.4/1.5 and SPDX 2.3 SBOMs via a local repository to support audit and vulnerability investigations.
Catalogue all container images running in a Kubernetes cluster and publish Software Bill of Materials (SBOM) documents, generated with Syft, to multiple back-ends.
A group of Rust projects for interacting with and producing software bill of materials (SBOMs).
GitHub Action that uploads CycloneDX SBOM files to GitHub’s dependency submission API, enabling Dependabot security analysis downstream.
A Bitbucket Pipe containing a collection of open source tools to perform additional analysis on a CycloneDX or SPDX SBOM.
A lightweight Go library for validating Software Bill of Materials (SBOM) against industry-standard specifications.
SBOM.sh is a free service to store, visualize and globally share CycloneDX SBOM files by simply using HTTP requests or curl.
SBOM2doc converts CycloneDX or SPDX SBOMs into human-readable reports in PDF, Markdown, HTML, Excel or console formats via a cross-platform Python CLI.
CLI that reads CycloneDX or SPDX SBOMs and emits a GraphViz-compatible DOT file so you can visualise component and dependency relationships.
Command-line tool that scans a directory and generates CycloneDX (JSON) or SPDX SBOMs for its files.
CLI utility that produces CycloneDX or SPDX SBOMs for installed Python modules or requirements files, identifying dependencies and their licenses, with optional dependency graph output.
CLI that reads Cargo.lock and authors CycloneDX v1.6 or SPDX SBOMs for Rust projects.
SBOMAudit is a command-line utility that audits CycloneDX or SPDX SBOMs against NTIA minimum requirements, license policies, allow/deny lists, and package age to flag outdated or non-compliant components.
SBOMcenter.io is a free service to get insights into the ingredients of your software for free and without any software.
SBOMDiff is an Apache-2.0 CLI that compares two SBOM files (CycloneDX 1.4 or SPDX 2.3), highlighting package additions, removals, version or license changes, and outputs text, JSON or YAML reports.
sbomify is a comprehensive SBOM management platform that enables secure sharing and analysis of Software Bill of Materials. Seamlessly integrates with CI/CD pipelines.
Command-line utility that merges two SBOM files, supporting CycloneDX and SPDX inputs and outputs in tag, JSON or YAML formats.
A command line tool which analyses a set of SBOMs to identify license and version changes in components.
Generates CycloneDX SBOM reports (XML and JSON) for projects scanned in Flexera Code Insight.
Detects licenses, copyrights, package manifests & dependencies by scanning code to discover and inventory open source and third-party packages
Open source software identification and inventory tool that provides insights into license compliance, security vulnerabilities, and software composition analysis
Open-source platform that aggregates findings and CycloneDX SBOMs from many scanners, lets teams assess security and license risks, and reports results via dashboards and APIs.
secure.software (Spectra Assure) protects CI/CD workflows by scanning release artifacts for malware, vulnerabilities and policy violations, then exporting CycloneDX 1.6 SBOMs, SaaSBOMs, CBOMs and AI/ML-BOMs with optional VEX.
SecureStack analyzes your application and finds all source code, cloud stack and third-party services and builds a CycloneDX SBOM every time you deploy
Semgrep is an application security platform where developers can scan for vulnerabilities in code (SAST), in OSS dependencies (SCA), and secrets. Semgrep creates CycloneDX SBOMs that enrich vulnerabilities with reachability analysis.
A free open-source security tool for modern DevOps teams that performs static analysis-based security testing across multiple languages and frameworks
Command-line tool that analyzes CycloneDX SBOMs and evaluates components for known vulnerabilities by querying the public Snyk Vulnerability Database API.
A patented tool that performs comprehensive software supply chain risk assessments using a 7-step process to detect vulnerabilities and calculate trustworthiness scores for software.
A SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.
SonarQube allows developers and development teams to write clean code and remediate existing code organically, so they can focus on the work they love and maximize the value they generate for businesses.
Cloud-native, collaborative code analysis platform that analyzes pull requests to find and fix security, performance, reliability, and style issues while generating CycloneDX SBOMs.
Automate your software inventory. SOOS creates, ingests, and manages your Software Bill of Materials and uses patented SCA and the largest open-source SBOM database to find hidden vulnerabilities, license issues, and dependencies sooner.
HPC package manager for Linux and macOS; the spack-sbom plug-in exports CycloneDX SBOMs for any concretized spec.
Java utility that converts Software Bill of Materials (SBOM) documents from CycloneDX format to SPDX format, supporting multiple serialization options for both standards.
Generates a Software Bill of Materials in CycloneDX JSON Format from Veracode SCA Agent results
StackAware is a SaaS platform for managing CycloneDX 1.4/1.5 and SPDX SBOMs, enriching them with VEX data, and securely distributing both SBOMs and SaaSBOMs for supply-chain risk analysis.
SBOM management and vulnerability monitoring platform for IoT and embedded systems. Show compliance to regulations and standards and manage risk across the entire product lifecycle.
Open-source SBOM visualization tool. Converts CycloneDX JSON into interactive charts and tables for components, dependencies, vulnerabilities, and licenses.
A modular framework for extracting file information and relationships for filesystems, with an SBOM as the primary output.
A software bill of materials (SBOM) generator for Swift packages
Generates SBOMs for demo and PoC purposes. Supports output in CycloneDX, SPDX, and SWID formats. Visualizes SBOMs as tree graphs.
CLI tool and library for generating a Software Bill of Materials from container images and filesystems.
Command-line tool that adds OpenSSF Scorecard security posture scores to packages listed in CycloneDX SBOMs.
GitHub App that generates CycloneDX SBOMs with cdxgen, scans them for vulnerabilities using grype, and uploads results to Dependency-Track.
Software composition analysis tool that generates a Software Bill of Materials for container images and Dockerfiles
Deepfence ThreatMapper hunts for vulnerabilities in production platforms, ranks vulnerabilities based on their risk-of-exploit using attack path enumeration, and generates CycloneDX SBOMs.
Threatrix CodeCertify platform provides a solution for producing a comprehensive and accurate, singular, CycloneDX bill of materials from multiple sources.
Tidelift provides a managed open-source subscription that delivers commercial support, maintenance, security and license assurances for the open-source dependencies used to build applications, backed directly by project maintainers.
Comprehensive security scanner for containers, filesystems, Git repositories, VMs and Kubernetes that detects vulnerabilities, misconfigurations, secrets and generates CycloneDX SBOMs.
SaaS platform for implementing and maintaining open source compliance that imports CycloneDX SBOMs, analyzes them for licenses and vulnerabilities, and integrates with various development workflows.
Multi ecosystem SCA cli tool supporting SBOM generation, decoration and analysis for licenses, vulnerabilities, known code snippets and malware.
SBoMDoc is a VDoc extension which uses CycloneDX namespaces and can emit BOM documents in various formats
CLI and CI/CD tool for generating CycloneDX SBOMs, signing and verifying supply-chain evidence, enforcing policy, and tracking vulnerabilities across containers, source repositories, and pipelines.
SaaS catalog that ingests CycloneDX SBOMs via REST API, indexes them by team and product, and surfaces vulnerabilities, licenses and component age to secure the software supply chain.
API to output SBOM in CycloneDX (JSON) format based on Veracode's software composition analysis (SCA) scan.
Generate VEX (Vulnerability Exploitability Exchange) CycloneDX documents.
Vulnerability monitoring and remediation suite that imports, generates, converts, and analyses CycloneDX or SPDX SBOMs with curated CVE feeds and build-system integrations for Yocto, Buildroot, OpenWrt, and more.
CLI and Docker-based tool that scans Git providers, runs ORT, generates CycloneDX SBOMs centrally, and uploads them to LeanIX VSM to speed onboarding.
Generates CycloneDX Software Bill of Materials (SBOM) and visualizations for an organization's codebase through integrations with source control systems. Enables organizations to manage overall supply chain risk.
Agent-less vulnerability scanner for Linux, FreeBSD, containers, WordPress, programming language libraries and network devices which outputs CycloneDX Vulnerability Disclosure Reports (VDR).
WordPress plugin that generates CycloneDX SBOMs for installed plugins and themes, and can automatically submit them to OWASP Dependency-Track for vulnerability analysis.
JFrog Xray is a software-composition-analysis platform that finds vulnerabilities, license issues and policy violations in open-source and third-party components, and can export CycloneDX SBOMs with optional VEX data.
Supply-chain security platform and CLI that generates CycloneDX SBOMs, analyses vulnerabilities and misconfigurations, enforces policy in CI/CD, and integrates with DevOps tools to secure releases.
Yasca (Yet Another SCA tool) is an open-source Python utility and GitHub Action that scans Maven projects against GitHub Security Advisories, detects vulnerable or outdated dependencies, and exports CycloneDX SBOMs.