bomctl/bomctl repository overview

⁠bomctl

bomctl is format-agnostic Software Bill of Materials (SBOM) tooling, which is intended to bridge the gap between SBOM generation and SBOM analysis tools. It focuses on supporting more complex SBOM operations by being opinionated on only supporting the NTIA minimum fields⁠ or other fields supported by protobom⁠.

⁠Features

• Work with multiple SBOMs in tree structures (through external references)
• Fetch and push SBOMs using HTTPS, OCI, and GIT protocols
• Leverage a .netrc file to handle authentication
• Manipulate SBOMs with commands like diff, split, and redact
• Manage SBOMs using a persistent database cache
• Interface with OpenSSF projects and services like GUAC⁠ and Sigstore⁠

⁠Join our Community

• #bomctl on OpenSSF Slack⁠
• OpenSSF Security Tooling Working Group Meeting⁠ - Every two weeks on Friday, 8am Pacific
• SBOM Tooling Working Meeting⁠ - Every Monday, 2pm Pacific