sbomqs is the industry-leading tool for evaluating SBOM quality, ensuring compliance, and managing your software supply chain security. From quality scoring to compliance validation, component analysis to vulnerability tracking - sbomqs provides everything you need to work with SBOMs effectively.
"sbomqs is listed as a relevant tool in the SBOM ecosystem" - SBOM Generation White Paper, 2025
# Install via Homebrew
brew tap interlynk-io/interlynk
brew install sbomqs
# Get your first quality score
sbomqs score your-sbom.json- Why sbomqs?
- Key Features
- sbomqs Blog
- Getting Started
- Industry Use Cases
- Advanced Features
- Command Reference
- SBOM Card
- SBOM Platform - Free Community Tier
- Installation
- Contributions
- Other SBOM Open Source tools
- Contact
- Stargazers
In today's software landscape, understanding and managing your software supply chain is critical. Whether you're in healthcare dealing with FDA requirements, automotive following NHTSA guidelines, or any regulated industry, sbomqs helps you:
- Instantly assess SBOM quality - Know if your SBOMs meet quality standards
- Ensure compliance - Validate against BSI, NTIA, FSCT, and industry standards
- Find vulnerabilities - Identify components missing security identifiers
- Automate workflows - Integrate into CI/CD pipelines with ease
- Share results - Generate shareable reports and quality scores
β
Multi-Standard Support: SPDX, CycloneDX, SWID (coming soon)
β
Compliance Validation: BSI TR-03183-2 (v1.1 & v2.0), FSCT v3, OpenChain Telco, NTIA
β
Quality Scoring: 0-10 scale with detailed breakdowns
β
Component Analysis: List, filter, and analyze SBOM components
β
Integration Ready: Docker, CI/CD, Dependency-Track, GitHub Actions
β
Shareable Reports: Generate public quality score links
β
Air-Gapped Support: Works in isolated environments
- Whatβs Missing in Your SBOM? sbomqs list can help you in inspecting...
- sbomqs scoring support for BSI-1.1 and BSI-2.0 in a summarized way
sbomqs makes it easy to get started with SBOM quality assessment. Here are the most common use cases:
# Get a quick quality score (0-10 scale)
sbomqs score my-application.spdx.json
# Output:
# 7.8 my-application.spdx.json# Get detailed scoring breakdown
sbomqs score my-application.spdx.json --detailed
# See which categories are affecting your score
sbomqs score my-application.spdx.json --category ntia# Check if your SBOM meets regulatory requirements
sbomqs compliance --bsi-v2 my-application.spdx.json
sbomqs compliance --fsct my-application.spdx.jsonHere are the commands you'll use most often:
# Quality scoring
sbomqs score <sbom-file> # Basic score
sbomqs score <sbom-file> --detailed # Detailed breakdown
sbomqs score <sbom-file> --json # JSON output for automation
# Compliance checking
sbomqs compliance --bsi-v2 <sbom-file> # BSI TR-03183-2 v2.0
sbomqs compliance --fsct <sbom-file> # FSCT v3 compliance
# Component listing
sbomqs list <sbom-file> --feature comp_with_licenses # Components with licenses
sbomqs list <sbom-file> --feature comp_with_version # Components with versions
# Sharing
sbomqs share <sbom-file> # Get a shareable linksbomqs addresses critical needs across various industries:
The FDA requires SBOMs for medical device submissions. Use sbomqs to:
# Validate FDA compliance requirements
sbomqs score medical-device.spdx.json --category ntia
# Check for components without versions (critical for vulnerability tracking)
sbomqs list medical-device.spdx.json --feature comp_with_version --missing
# Generate compliance report for FDA submission
sbomqs compliance --fsct medical-device.spdx.json > fda-compliance-report.jsonReal-world example: A medical device manufacturer uses sbomqs in their CI/CD pipeline to ensure all software releases meet FDA's SBOM requirements before submission.
Following NHTSA's cybersecurity guidelines, automotive manufacturers need comprehensive SBOMs:
# Check automotive ECU software SBOM
sbomqs score ecu-software.cdx.json --detailed
# List all components with security identifiers (CPE/PURL)
sbomqs list ecu-software.cdx.json --feature comp_with_cpes --show
# Validate against industry standards
sbomqs compliance --bsi-v2 ecu-software.cdx.jsonMeeting DORA and PCI DSS requirements for software transparency:
# Assess payment system SBOM quality
sbomqs score payment-system.spdx.json
# Check for components with valid licenses
sbomqs list payment-system.spdx.json --feature comp_valid_licenses --show
# Generate compliance evidence
sbomqs compliance --fsct payment-system.spdx.json --output-format jsonEnsuring critical infrastructure security:
# Validate NTIA minimum elements
sbomqs score --category ntia telecom-app.cdx.json
# Check OpenChain Telco compliance
sbomqs compliance --telco telecom-app.cdx.jsonsbomqs supports multiple compliance standards with detailed reporting:
# Full compliance check with detailed report
sbomqs compliance --bsi-v2 application.spdx.json
# Output includes:
# - Total score and breakdown
# - Required vs optional elements
# - Specific missing fields
# - Recommendations for improvement# FSCT compliance with color-coded output
sbomqs compliance --fsct application.spdx.json --color
# Generate machine-readable report
sbomqs compliance --fsct application.spdx.json --json > fsct-report.jsonπ Detailed Compliance Documentation
Powerful filtering and analysis capabilities:
# Find components without suppliers (supply chain risk)
sbomqs list app.spdx.json --feature comp_with_supplier --missing
# Show all license values for validation
sbomqs list app.spdx.json --feature comp_valid_licenses --show
# Export component list for further analysis
sbomqs list app.spdx.json --feature comp_with_purls --show --json > components.jsonAvailable features for analysis:
comp_with_supplier- Supply chain transparencycomp_with_licenses- License compliancecomp_valid_licenses- License validationcomp_with_version- Vulnerability managementcomp_with_purls- Package identificationcomp_with_cpes- CVE matchingcomp_with_checksums- Integrity verification
π Detailed List Command Documentation
# GitHub Actions example
- name: Check SBOM Quality
run: |
sbomqs score ${{ github.workspace }}/sbom.json --json > sbom-score.json
score=$(jq '.avg_score' sbom-score.json)
if (( $(echo "$score < 7" | bc -l) )); then
echo "SBOM quality score too low: $score"
exit 1
fi# Score all projects in Dependency-Track
sbomqs dtrackScore -u "https://dtrack.company.com" \
-k "$DT_API_KEY" \
"project-uuid"
# Automated labeling based on quality scores
sbomqs dtrackScore --label-prefix "sbom-quality" \
--min-score 7.0 \
"project-uuid"# Scan container SBOM
docker sbom nginx:latest | sbomqs score -
# Batch process multiple containers
for image in $(docker images --format "{{.Repository}}:{{.Tag}}"); do
echo "Scoring $image"
docker sbom "$image" | sbomqs score - --basic
doneπ Detailed Integration Documentation
# Generate configuration file
sbomqs generate features > my-profile.yaml
# Edit profile to enable/disable specific checks
# Then use custom profile
sbomqs score app.spdx.json --configpath my-profile.yaml# Focus on specific categories
sbomqs score app.spdx.json --category ntia # NTIA compliance only
sbomqs score app.spdx.json --category quality # Quality metrics only
sbomqs score app.spdx.json --category bsi-v2.0 # BSI v2.0 scoring# JSON for automation
sbomqs score app.spdx.json --json
# Detailed table format
sbomqs score app.spdx.json --detailed
# Basic score only
sbomqs score app.spdx.json --basicπ Detailed Customization Documentation
| Command | Description | Documentation |
|---|---|---|
score |
Calculate SBOM quality score | Details |
compliance |
Check regulatory compliance | Details |
list |
List and filter components | Details |
share |
Generate shareable report link | Details |
dtrackScore |
Dependency-Track integration | Details |
generate |
Generate configuration files | Details |
version |
Display version information | Details |
# Score multiple SBOMs at once
sbomqs score *.json --basic
# Check compliance for all SBOMs in a directory
for sbom in ./sboms/*.json; do
sbomqs compliance --bsi-v2 "$sbom" > "reports/$(basename $sbom .json)-compliance.json"
done
# Air-gapped environment usage
INTERLYNK_DISABLE_VERSION_CHECK=true sbomqs score app.spdx.json
Our SBOM Automation Platform has a free community tier that provides a comprehensive solution to manage SBOMs (Software Bill of Materials) effortlessly. From centralized SBOM storage, built-in SBOM editor, continuous vulnerability mapping and assessment, and support for organizational policies, all while ensuring compliance and enhancing software supply chain security using integrated SBOM quality scores. The community tier is ideal for small teams. Learn more here or Sign up
brew tap interlynk-io/interlynk
brew install sbomqsgo install github.com/interlynk-io/sbomqs@latestdocker run -v $(pwd):/app ghcr.io/interlynk-io/sbomqs score /app/your-sbom.jsonDownload from GitHub Releases
git clone https://github.com/interlynk-io/sbomqs.git
cd sbomqs
make build
./build/sbomqs versionπ Detailed Installation Guide
We welcome contributions! Here's how to get started:
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -sam 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Please ensure:
- All commits are signed
- Tests pass (
make test) - Code follows our style guide (
make lint)
sbomqs has gained significant adoption across the industry for SBOM quality assessment and compliance validation:
-
Harness Software Supply Chain Assurance (SSCA) - Harness, the leader in AI-powered Modern CI/CD, uses sbomqs to power their SBOM quality scoring, providing quality scores from 1-10 for generated SBOMs with SBOM drift detection capabilities.
-
SBOM Benchmark Platform - Uses the sbomqs engine for scoring CycloneDX and SPDX SBOMs, providing shareable quality reports without requiring SBOM uploads.
sbomqs integrates seamlessly with major CI/CD platforms:
- GitHub Actions - Native Docker support via
ghcr.io/interlynk-io/sbomqs - Jenkins - Feature request for Dependency-Track plugin integration
- Docker/Kubernetes - Official container image for containerized workflows
- GitLab CI, Azure DevOps, CircleCI - Compatible via Docker or command-line execution
Available through multiple package managers for easy installation:
- Homebrew (
brew install sbomqs) - Go modules (
go install) - Docker Hub & GitHub Container Registry
- Uniget tools repository
Trusted for validating compliance with major standards:
- NTIA Minimum Elements
- BSI TR-03183-2 (v1.1 & v2.0)
- OpenChain Telco (OCT)
- Framing Software Component Transparency (FSCT v3)
Interlynk provides a comprehensive suite of SBOM tools:
- SBOM Assembler - Merge and edit SBOMs conditionally
- SBOM Explorer - Search and download SBOMs from public repositories
- SBOM Search Tool - Context-aware SBOM repository search
- SBOM Seamless Transfer - Transfer SBOMs between systems
- SBOM Benchmark - Repository of SBOM quality scores for popular containers
We're here to help! Reach out through:
- β Community Slack - Get answers from the community
- π¬ Live Chat - Talk to our team
- π§ Email - Direct support
- π GitHub Issues - Report bugs or request features
- π¦ Follow us on X - Latest updates =
If sbomqs helps you improve your SBOM quality and compliance, please β this repository!
sbomqs - Building trust in software supply chains, one SBOM at a time.
Made with β€οΈ by Interlynk.io
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
