Microsoft is excited and proud to open source its software bill of materials (SBOM) generation tool. A key requirement of the Executive Order on Improving the Nation’s Cybersecurity, SBOMs are lists of ingredients that make up software components which provide software transparency so organizations have insight into their supply chain dependencies.
Our SBOM tool is a general purpose, enterprise-proven, build-time SBOM generator. It works across platforms including Windows, Linux, and Mac, and uses the standard Software Package Data Exchange (SPDX) format. It can be easily integrated into and auto-detects NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repositories, and more using Component Detection.
We'd love for you to try our SBOM tool. Please read the guidelines to learn more about contributing and follow these instructions to generate an SBOM. If you want to share any feedback and/or report any bugs, please feel free to do so via discussions and issues. Your feedback will help shape the future of our SBOM tool and ensure supply chain security for all. If you find the tool useful, we’d love a star on the microsoft/sbom-tool GitHub repo.
