A CLI tool to parses SBOM files and scan all dependencies with Semgrep
View Demo
·
Report Bug
·
Request Feature
Table of Contents
Parse SBOM files and scan all dependencies with Semgrep
Usage: scanbom [OPTIONS] <file_path>
Arguments:
<file_path> Path to the SBOM file
Options:
-c, --clean-json Output simplified JSON format
-j, --json-input Use JSON input format
-t, --timer Measure elapsed time
-q, --quiet Only print output, with no loading bar
-o, --output-type <output_type> Specify the output format [default: text] [possible values: json, semgrep, emacs, gitlab-sast, gitlab-secrets, junit-xml, sarif, text, vim]
-h, --help Print help
-V, --version Print version
Simply pass in an SBOM in SPDX format and ScanBOM will clone down all the dependencies and scan them with Semgrep. For any open source projects, you can get an SBOM in this format from GitHub by going to the Insights
tab of your repository and then going down to the Dependency Graph
and clicking the Export SBOM
button on the top right.
- Scan an SPDX SBOM file
sbom.json
stored in the examples directory of the repo. The examplesbom.json
file there is an SBOM generated for thelodash
repository: https://github.com/lodash/lodash
scanbom "./examples/sbom.json"
- Scan a custom list in the following JSON format:
{
"packages": [
{
"name": "lodash",
"version": "4.0.0"
},
{
"name": "mongoose",
"version": "8.2.3"
}
]
}
There is an example input.json
file in the examples directory that can be scanned with:
scanbom -j "./examples/input.json"
- Output raw JSON from the Semgrep scan and pipe it to other CLI tools or programs
scanbom -qo json "./examples/sbom.json"
You can use download a pre-built binary directly from the latest release: https://github.com/osm6495/scanbom/releases
- Select the latest version at the top of the page and open the
Assets
section - Download the file that applies for your system
- (Optional) Move the binary to your
/usr/bin
directory for Linux and Mac orC:\Program Files
for Windows. This will allow you to use thescanbom
command without directly calling the binary or having the source code.
Below is an example of how you can instruct your audience on installing and setting up your app. This template doesn't rely on any external dependencies or services.
- Install Rust: http://rust-lang.org/
- Clone the repo
git clone https://github.com/osm6495/scanbom
cd scanbom
- Build the binary
cargo build --release
- Run the program
./target/release/sbom -h
- (Optional) Move the binary to your
/usr/bin
directory for Linux and Mac orC:\Program Files
for Windows. This will allow you to use thescanbom
command without directly calling the binary or having the source code.
sudo mv ./target/release/scanbom /usr/bin/scanbom
- Add ability to include custom Semgrep rules
See the open issues for a full list of proposed features (and known issues).
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
Distributed under the MIT License. See LICENSE.txt
for more information.
Owen McCarthy - contact@owen.biz