Skip to content

sktelecom/sbom-tools

BomLens — an SBOM generator

BomLens is a local-first SBOM generator and open-source risk assessor. It produces a CycloneDX SBOM, an open-source notice, and a security/license risk report for a single project in seconds — from source code, containers, binaries, firmware, an SBOM you received, or a HuggingFace AI model. CLI or browser UI, no SaaS.

GitHub release Container image License OpenSSF Best Practices OpenSSF Scorecard

BomLens web UI showing a scan result: the Overview with counts and a severity/license summary, the Components table with filters, the Vulnerabilities list, the Dependencies as a graph and tree, and the Licenses section

Where to start — the full docs are a navigable site at sktelecom.github.io/sbom-tools (search, sidebar, English/Korean); the same content lives under docs/:

One Docker image, two jobs: generate — scan your source code (or a container image / binary) and produce a CycloneDX SBOM, an open-source notice, and a security report — and assess open-source risk in what you receive, such as a supplier's finished SBOM (--analyze) or a firmware binary (licenses + known vulnerabilities, with Critical-7d / High-30d remediation deadlines). Every scan emits the risk report by default. Originally built by SK Telecom for supply-chain security, now open source.

Languages: Java, Python, Node.js, Ruby, PHP, Rust, Go, .NET, Swift, C/C++ (Conan/vcpkg, or --identify-vendored for sources with no package manager). Inputs: source folder, GitHub URL, ZIP archive, Docker image, binary/RootFS, existing SBOM, firmware, and a HuggingFace AI model (CycloneDX ML-BOM).

BomLens web UI — name a project, pick a scan target, and choose what to generate (SBOM, open-source notice, security report)

Quick Start

Everything runs on a Docker engine (20.10+). On Windows, free Rancher Desktop works well, or WSL2 + docker-ce (fully free); Docker Desktop also works, with licensing caveats for larger organizations. The desktop app and web UI manage the image for you — only the CLI asks you to pull it.

Desktop app — no command line (recommended)

Download the installer and double-click it — BomLens-Setup.exe for Windows or BomLens-Setup.dmg for macOS. It checks Docker, pulls the image, and opens the UI — no console window. The app is unsigned for now; if Windows SmartScreen or macOS blocks it, the no-CLI quick start (한국어) shows how to proceed — it also walks a non-developer through the common case of a source ZIP handed over by a dev team. Build details are in electron/.

BomLens desktop app — the startup screen shows Docker checks, image download progress, and container startup

Web UI

Launch, scan, and download in the browser; live logs stream as it runs.

git clone https://github.com/sktelecom/sbom-tools.git && cd sbom-tools
./scripts/scan-sbom.sh --ui     # opens http://localhost:8080; results save to the current folder
#   Windows: double-click scripts\sbom-ui.bat

Enter a project name and version, pick a scan target (current folder, GitHub URL, ZIP, SBOM, firmware upload, or Docker image), click Run scan, then view or download the results.

BomLens web UI — reviewing a finished scan: needs-attention, component and vulnerability counts, the severity distribution and the license summary

CLI (advanced)

docker pull ghcr.io/sktelecom/bomlens:latest   # aliases: sbom-generator and sbom-scanner serve the same image
./scripts/scan-sbom.sh --project MyApp --version 1.0.0 --target examples/nodejs --all --generate-only

On Windows, run the same command through scripts\scan-sbom.bat (Git for Windows required). Other inputs — GitHub URL, source archive, Docker image, firmware — and every option are in the input-scenarios guide and the CLI reference.

Outputs (in a {Project}_{Version}/ subfolder, files prefixed {Project}_{Version}_…): bom.json (SBOM), NOTICE.{txt,html}, risk-report.{md,html} (default), and security.{json,md,html} (Trivy).

Contributing & License

Issues and PRs welcome — see CONTRIBUTING.md (한국어) and GitHub Issues.

Apache License 2.0 · © 2026 SK Telecom Co., Ltd. Bundled third-party tools keep their own licenses — see NOTICE and THIRD_PARTY_LICENSES.md.

About

BomLens — a local-first SBOM generator & open-source risk assessor (CycloneDX). Produce an SBOM, an open-source notice, and a security/license risk report from source code, containers, binaries, firmware, or an SBOM you received. CLI or web UI, no SaaS.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

10 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors