Top 23 Python sbom Projects
-
scancode-toolkit
:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet, the Google Summer of Code, Azure credits, nexB and other generous sponsors!
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
cve-bin-tool
The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
-
dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
Add a CI gate. Integrate Software Composition Analysis into your pipeline. Tools like OWASP dep-scan flag unknown or newly published packages before they reach production. Generate and sign Software Bills of Materials (SBOMs) for every build so each dependency is auditable. If a package does not appear in your organization's approved registry, the build should fail.
-
purl-spec
A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby
Project mention: Reconciling 15 OSS Vulnerability Databases: What They Actually Cover | dev.to | 2026-04-09vuln_id is the primary identifier that source uses — a GHSA-xxxx, CVE-xxxx, PYSEC-xxxx, RUSTSEC-xxxx, GO-xxxx, or MAL-xxxx. aliases is a semicolon-joined list of cross-database identifiers the source knows about. purl is the Package URL — a canonical string like pkg:pypi/tensorflow or pkg:maven/io.grpc/grpc-protobuf that uniquely names a package across every public ecosystem.
-
tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more. (by tern-tools)
-
puncia
Panthera(P.)uncia - Official CLI utility for Osprey Vision, Subdomain Center & Exploit Observer.
-
-
-
blint
blint is a Binary Linter that checks the security properties and capabilities of your executables. It can also generate a Software Bill-of-Materials (SBOM) for supported binaries.
-
-
-
Project mention: Show HN: AI-BOM – Open-source scanner that discovers shadow AI components | news.ycombinator.com | 2026-02-23
-
mcp-audit
See what your AI agents can access. Scan MCP configs for exposed secrets, shadow APIs, and AI models. Generate AI-BOMs for compliance.
Project mention: Show HN: APIsec MCP Audit – Audit what your AI agents can access | news.ycombinator.com | 2026-01-20 -
Veritensor
The Anti-Virus for AI Artifacts & RAG Firewall. A static analysis tool scanning Models and Notebooks for RCE, Datasets and RAG docs for Data Poisoning, PII, and Prompt Injections. Secure your AI Supply Chain. (by arsbr)
Project mention: Recomendation for open-source tool for the AI supply chain security | news.ycombinator.com | 2026-02-09https://github.com/arsbr/Veritensor
The goal is to help teams secure the AI/ML supply chain as models, datasets, and tooling increasingly come from third parties.
What it currently does:
-
vulnerability-scan-github-action-for-amazon-inspector
Scan artifacts with Amazon Inspector from GitHub Actions workflows.
-
-
Surfactant
Modular framework for file information extraction and dependency analysis to generate accurate SBOMs
Project mention: Show HN: Analyze binary capabilities in-browser with capa and Pyodide | news.ycombinator.com | 2026-01-21Hey all!
I’ve been working on getting Mandiant’s capa (a tool for identifying capabilities in executables) to run entirely client-side in the browser using Pyodide.
To make this happen, I’ve been working through the capa dependency tree to ensure all upstream packages publish an sdist or pure-Python wheels. We’ve finally reached the point where it’s possible to run capa to analyze binaries in a browser using the vivisect backend.
The long-term goal is to upstream these changes to the official mandiant/capa repository. I’d love for people to try it out and let me know how the performance feels or if you run into any quirks.
Again, a live version can be found here: https://surfactant.readthedocs.io/en/latest/capa/
And the source files for the page is here: https://github.com/llnl/Surfactant/tree/main/docs/capa
Suggestions and bug reports are welcome!
-
skillfortify
First formal security scanner for AI agent skills & plugins. Static analysis, supply chain verification, SBOM generation. 22 frameworks supported including MCP, LangChain, CrewAI.
This is exactly what frameworks like SkillFortify do — automated verification of AI agent skills against 22 security frameworks before they're allowed to execute. The OpenClaw crisis would have been caught at installation time, not after 341 skills were already deployed.
-
-
gitgalaxy
An AST-free, LLM-free heuristic knowledge graph engine for deep repository intelligence. Map, secure, and modernize enterprise codebases across 50+ languages at extreme velocity
Project mention: BlAST Engine: AST-free static analyzer to auto-generate agents.md in the CI pipe | news.ycombinator.com | 2026-04-29 -
Project mention: Izumi: An LLM-Powered SBOM Generator Built Out of Frustration | dev.to | 2026-04-01
The result is Izumi — an SBOM tool that combines LLM-based OSS detection with static analysis for license identification directly from source code. If you're working on embedded software or C/C++ projects and struggling with SBOM compliance, I'd love to hear your thoughts. The project is open source — [https://github.com/moonkick64/Izumi].
-
This combined approach ensures repeatable, scalable, and CI-integrated detection. The fully automated solution is available in the dedicated GitHub repository.
-
threat-intel-api
Sector-aware OSINT vulnerability intelligence API. Aggregates NVD, CISA KEV and GitHub Advisories, scores each CVE per industry profile. (by Setounkpe7)
Project mention: Sector-aware threat intel API: stop triaging hundreds of CVEs manually | dev.to | 2026-05-18threat-intel-api is an open-source (MIT) vulnerability intelligence service. It pulls in NVD, CISA KEV and GHSA, removes the duplicates between them, and scores every CVE against a YAML file you write that describes what your sector and your stack actually care about.
Python sbom discussion
Python sbom related posts
Index
What are some of the best open-source sbom projects in Python? This list will help you:
| # | Project | Stars |
|---|---|---|
| 1 | scancode-toolkit | 2,564 |
| 2 | cve-bin-tool | 1,703 |
| 3 | dep-scan | 1,255 |
| 4 | purl-spec | 1,056 |
| 5 | tern | 1,017 |
| 6 | puncia | 663 |
| 7 | meta-package-manager | 598 |
| 8 | reuse-tool | 578 |
| 9 | blint | 451 |
| 10 | spdx-spec | 373 |
| 11 | sbomnix | 285 |
| 12 | ai-bom | 262 |
| 13 | mcp-audit | 150 |
| 14 | Veritensor | 80 |
| 15 | vulnerability-scan-github-action-for-amazon-inspector | 57 |
| 16 | opentemplate | 42 |
| 17 | Surfactant | 41 |
| 18 | skillfortify | 26 |
| 19 | bogrod | 22 |
| 20 | gitgalaxy | 15 |
| 21 | Izumi | 2 |
| 22 | software-supply-chain | 0 |
| 23 | threat-intel-api | 0 |
Sponsored