A living encyclopedia of software supply chain transparency
A Software Bill of Materials is a formal, machine-readable inventory of all components, libraries, and dependencies that make up a piece of software. Think of it as a nutritional label for code — revealing every ingredient in the recipe.
Modern software is assembled from hundreds of open-source packages. A single vulnerable dependency — buried six levels deep — can compromise entire systems. SBOMs illuminate these hidden relationships, transforming opaque binaries into auditable architectures.
Linux Foundation standard. ISO/IEC 5962:2021. Focus on licensing and compliance metadata.
OWASP standard. Lightweight, security-focused. Native support for VEX and vulnerability data.
ISO/IEC 19770-2. Tag-based identification for installed software inventory management.
Executive Order 14028 (2021) mandated SBOMs for software sold to the U.S. federal government. The EU Cyber Resilience Act extends similar requirements across the European market. Compliance is no longer optional — it's the cost of doing business.
$ syft packages alpine:latest -o spdx-json
✔ Parsed image
✔ Cataloged packages [42 packages]
✔ Encoded SBOM spdx-json
$ grype sbom:./alpine.spdx.json
✔ Vulnerability DB loaded
✔ Scanned 42 packages
⚠ Found 3 vulnerabilitiesSBOMs aren't static documents — they're snapshots of an ever-shifting dependency graph. Every npm install, every pip upgrade, every cargo update reshapes the topology. Continuous SBOM generation ensures your transparency window never goes dark.
Every transparent supply chain starts with a single scan. Generate your first SBOM today. Know what's inside your software. Make the opaque, transparent.