- Automatically parses Python environment files to discover dependencies.
- Currently supports:
- Conda (environment.yml, environment.yaml)
- PIP (requirements.txt)
- Poetry (pyproject.toml)
- Modern Python projects (pyproject.toml with PEP 621 format)
- Looks up license information directly from Conda caches and PyPI.
- Can process individual files or search directories for multiple dependency files.
- Outputs detailed Bill of Materials with package versions, licenses, and validation status.
usage: superbom [-h] [-o OUTPUT] [-f FORMAT] [-p PLATFORM] [-v] [-V] path
Generate a Bill of Materials (BOM)
positional arguments:
path Path to environment file or directory to search.
(if directory, will search for .yml, .yaml, .txt, .toml files)
options:
-h, --help show this help message and exit
-o, --output OUTPUT Path to output file
-f, --format FORMAT Output format (table, csv, excel, json) Default: table
-p, --platform PLATFORM
Additional platform to check for conda packages
-v, --verbose Enable verbose logging
-V, --version Show version and exit
# Process a single requirements.txt file
superbom requirements.txt
# Process a conda environment file with table output
superbom environment.yml -f table
# Process a pyproject.toml file and save as Excel
superbom pyproject.toml -f excel -o dependencies.xlsx
# Search a directory for all dependency files and output as JSON
superbom ./my-project -f json -o bom.json
# Process with verbose logging
superbom pyproject.toml -v
# Add additional conda platform for cross-platform analysis
superbom environment.yml -p win-64- Python 3.11+
- uv (Python package manager)
- git
# Navigate to project directory
cd superbom
# Install uv (if not already installed)
pip install uv
# Install project dependencies
uv sync
# Or install in editable mode
uv pip install -e .# Install project with development dependencies
uv pip install -e ".[dev]"
# Or use uv sync to install all dependencies including dev
uv sync
# Run commands in the uv environment
uv run superbom --help
# Or activate the virtual environment
source .venv/bin/activate # On Unix/macOS
# .venv\Scripts\activate # On Windows# Build the project
uv build
# this will create two files in dist/:
# - superbom-x.x.x-py3-none-any.whl (Wheel file)
# - superbom-x.x.x.tar.gz (Source distribution)
# Alternative: use standard Python build tools
pip install build
python -m buildSuperBOM follows security best practices:
- Signed Releases: All releases are cryptographically signed using Sigstore
- Continuous Fuzzing: Automated security fuzzing for input validation
- SLSA Provenance: Supply chain integrity verification
- Regular Updates: Automated dependency updates and security patches
For security issues, see SECURITY.md. For release verification, see RELEASE.md.