Skip to content

bomctl/bomctl

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

104 Commits
.github
.github
 
 
.vscode
.vscode
 
 
cmd
cmd
 
 
docs
docs
 
 
internal/pkg
internal/pkg
 
 
.adr-dir
.adr-dir
 
 
.commitlint.yaml
.commitlint.yaml
 
 
.editorconfig
.editorconfig
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
.goreleaser.yml
.goreleaser.yml
 
 
.markdownlint.yml
.markdownlint.yml
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.yamllint
.yamllint
 
 
CODEOWNERS
CODEOWNERS
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
COPYRIGHT.md
COPYRIGHT.md
 
 
DEVELOPMENT.md
DEVELOPMENT.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

bomctl

OpenSSF Scorecard Go Report Card Go Reference Slack

bomctl is format-agnostic Software Bill of Materials (SBOM) tooling, which is intended to bridge the gap between SBOM generation and SBOM analysis tools. It focuses on supporting more complex SBOM operations by being opinionated on only supporting the NTIA minimum fields or other fields supported by protobom.

Note

This is an experimental project under active development. We'd love feedback on the concept, scope, and architecture!

Features

  • Work with multiple SBOMs in tree structures (through external references)
  • Fetch and push SBOMs using HTTPS, OCI, and GIT protocols
  • Leverage a .netrc file to handle authentication
  • Manipulate SBOMs with commands like diff, split, and redact
  • Manage SBOMs using a persistent database cache
  • Interface with OpenSSF projects and services like GUAC and Sigstore

Join our Community

Installation

Homebrew

brew tap bomctl/bomctl && brew install bomctl

Container Images

Container images for bomctl can be found on Docker Hub.

docker run bomctl/bomctl:latest --help

Commands

Fetch (Implemented)

Ability to retrieve an SBOM via several protocols:

  • HTTP/S
  • Git

and from various locations:

  • Local Filesystem
  • OCI

This includes recursive loading of external references in an SBOM to other SBOMs and placing them into the persistent cache. If SBOMs are access controlled, a user's .netrc file to authenticate.

Diff (Planned)

TBD

Lint (Planned)

TBD

List (Planned)

TBD

Merge (Planned)

TBD

Push (Planned)

TBD

Redact (Planned)

TBD

Split (Planned)

TBD

Trim (Planned)

TBD

Verifying Integrity

Verifying Container Images

Container images for bomctl can be found here and are signed using keyless signing with cosign.

You can then verify this container image with cosign.

cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/bomctl/bomctl/\.github/. '  bomctl/bomctl:latest

Verifying Releases

bomctl releases can be found here and are signed using keyless signing with cosign.

You can then verify this artifact with cosign.

cosign verify-blob --certificate ${artifact}-keyless.pem --signature ${artifact}-keyless.sig --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/bomctl/bomctl/\.github/. '  ${artifact}

If the result is Verified OK, the verification is successful.

You can also look up the entry in the public Rekor instance using a sha256 hash.

shasum -a 256 bomctl_SNAPSHOT-3f16bdb_checksums.txt |awk '{print $1}'

The printed hash can be used to look up the entry at https://search.sigstore.dev/.

About

Format agnostic SBOM tooling

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

80 stars

Watchers

9 watching

Forks

16 forks
Report repository

Releases 17

v0.4.1 Latest
Sep 16, 2024
16 releases

Packages

No packages published

Contributors 10

Languages