BomLens is a local-first SBOM generator and open-source risk assessor. It produces a CycloneDX SBOM, an open-source notice, and a security/license risk report for a single project in seconds — from source code, containers, binaries, firmware, an SBOM you received, or a HuggingFace AI model. CLI or browser UI, no SaaS.
Where to start — the full docs are a navigable site at sktelecom.github.io/sbom-tools (search, sidebar, English/Korean); the same content lives under docs/:
- First scan (한국어) — install and your first SBOM (desktop app, web UI, CLI)
- No-CLI quick start (한국어) — no command line at all, click by click, for non-developers
- CLI reference — every option and environment variable
- Input scenarios — GitHub URL, ZIP, local source, existing SBOM, firmware
- Contributing to the tool itself — CONTRIBUTING and the architecture; maintainer design notes live under docs/internal/ (Korean)
One Docker image, two jobs: generate — scan your source code (or a container image / binary) and produce a CycloneDX SBOM, an open-source notice, and a security report — and assess open-source risk in what you receive, such as a supplier's finished SBOM (--analyze) or a firmware binary (licenses + known vulnerabilities, with Critical-7d / High-30d remediation deadlines). Every scan emits the risk report by default. Originally built by SK Telecom for supply-chain security, now open source.
Languages: Java, Python, Node.js, Ruby, PHP, Rust, Go, .NET, Swift, C/C++ (Conan/vcpkg, or --identify-vendored for sources with no package manager). Inputs: source folder, GitHub URL, ZIP archive, Docker image, binary/RootFS, existing SBOM, firmware, and a HuggingFace AI model (CycloneDX ML-BOM).
Everything runs on a Docker engine (20.10+). On Windows, free Rancher Desktop works well, or WSL2 + docker-ce (fully free); Docker Desktop also works, with licensing caveats for larger organizations. The desktop app and web UI manage the image for you — only the CLI asks you to pull it.
Download the installer and double-click it — BomLens-Setup.exe for Windows or BomLens-Setup.dmg for macOS. It checks Docker, pulls the image, and opens the UI — no console window. The app is unsigned for now; if Windows SmartScreen or macOS blocks it, the no-CLI quick start (한국어) shows how to proceed — it also walks a non-developer through the common case of a source ZIP handed over by a dev team. Build details are in electron/.
Launch, scan, and download in the browser; live logs stream as it runs.
git clone https://github.com/sktelecom/sbom-tools.git && cd sbom-tools
./scripts/scan-sbom.sh --ui # opens http://localhost:8080; results save to the current folder
# Windows: double-click scripts\sbom-ui.batEnter a project name and version, pick a scan target (current folder, GitHub URL, ZIP, SBOM, firmware upload, or Docker image), click Run scan, then view or download the results.
docker pull ghcr.io/sktelecom/bomlens:latest # aliases: sbom-generator and sbom-scanner serve the same image
./scripts/scan-sbom.sh --project MyApp --version 1.0.0 --target examples/nodejs --all --generate-onlyOn Windows, run the same command through scripts\scan-sbom.bat (Git for Windows required). Other inputs — GitHub URL, source archive, Docker image, firmware — and every option are in the input-scenarios guide and the CLI reference.
Outputs (in a {Project}_{Version}/ subfolder, files prefixed {Project}_{Version}_…): bom.json (SBOM), NOTICE.{txt,html}, risk-report.{md,html} (default), and security.{json,md,html} (Trivy).
Issues and PRs welcome — see CONTRIBUTING.md (한국어) and GitHub Issues.
Apache License 2.0 · © 2026 SK Telecom Co., Ltd. Bundled third-party tools keep their own licenses — see NOTICE and THIRD_PARTY_LICENSES.md.



