bomctl is format-agnostic Software Bill of Materials (SBOM) tooling, which is intended to bridge the gap between SBOM generation and SBOM analysis tools. It focuses on supporting more complex SBOM operations on multiple SBOM files that represent systems by being opinionated on only supporting the NTIA minimum fields or other fields supported by protobom.
Note
This is an experimental project under active development. We'd love feedback on the concept, scope, and architecture!
- Work with multiple SBOMs in tree structures (through external references)
- Fetch and push SBOMs using multiple protocols
- Leverage a
.netrcfile to handle authentication - Manage SBOMs using a persistent database cache
- FUTURE - Manipulate SBOMs with commands like
diff,split, andredact - FUTURE - Interface with OpenSSF projects and services like GUAC and Sigstore
- #bomctl on OpenSSF Slack
- OpenSSF Security Tooling Working Group Meeting - Every other Friday at 8am Pacific
- SBOM Tooling Working Meeting - Every Monday at 2pm Pacific
