ChatSBOM - Talk to your Supply Chain. Chat with SBOMs.
Project description
ChatSBOM
Talk to your Supply Chain. Chat with SBOMs.
ChatSBOM is a CLI tool for deep insights into Software Bill of Materials (SBOM) data.
Motivation
GitHub's Dependency Graph shows which repositories depend on your project, but there's no way to sort dependents by stars (isaacs/github#1537). This makes it difficult for maintainers of popular packages to identify their most important downstream users. ChatSBOM solves this by collecting and indexing SBOM data, enabling queries like "which popular projects use my library?"
Key Features
- Collect: Find high-quality repos on GitHub (stars/language)
- Download: Fetch dependency files (
go.mod,package.json, etc.) - Convert: Transform files to standard SBOM format using Syft
- Index: Load SBOM data into ClickHouse database
- Status: View database statistics and insights
- Query: Search for library dependencies via CLI
- Chat: AI-powered natural language queries
Quick Start
Prerequisites
- uv - Python package manager for fast installation and execution of the CLI tool
- syft - SBOM generation tool for extracting dependency data from project files
- docker - Container runtime for running infrastructure services
- docker-compose - Container orchestration tool for managing multi-container deployments
- clickhouse - Columnar database for storing and querying SBOM metadata efficiently
Usage
Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh
Run commands directly with uvx:
# 1. Collect repository links from GitHub (e.g., top Go repos)
uvx chatsbom collect --language go --min-stars 10000
# 2. Download dependency files
uvx chatsbom download --language go
# 3. Convert to standard SBOM format
uvx chatsbom convert --language go
# 4. Index SBOM data into database
uvx chatsbom index --language go
# 5. Show database statistics
uvx chatsbom status
# 6. Query dependencies
uvx chatsbom query gin --language go
# 7. Launch AI chat interface
uvx chatsbom chat
Architecture
ChatSBOM follows a clean, modular architecture with high cohesion and low coupling:
Command Flow
collect → download → convert → index → status/query/chat
↓ ↓ ↓ ↓
.jsonl files/ sbom.json database
Core Modules
-
chatsbom.core.config: Centralized configuration management- Path conventions (data directories, file naming)
- Database connection settings
- GitHub API configuration
-
chatsbom.core.repository: Data access layer (Repository Pattern)- Abstracts all database operations
- Uses generators for memory-efficient data streaming
- Supports batch operations for large datasets
-
chatsbom.core.validation: Data validation utilities- Validates data flow between commands
- Ensures data integrity
-
chatsbom.commands.*: CLI commands (7 commands)- Each command has a single responsibility
- Decoupled through configuration and repository layers
Use Cases
Asking AI Agent to retrieve the top 10 projects using gin framework.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file chatsbom-0.2.8.tar.gz.
File metadata
- Download URL: chatsbom-0.2.8.tar.gz
- Upload date:
- Size: 3.3 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.10.0 {"installer":{"name":"uv","version":"0.10.0","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
34b3fac18e1a3f11a2351aff99c08a656ec6059c5cd05bd68a8acca63bd34b82
|
|
| MD5 |
f50463cecf9ba30bc769f35ca82468c2
|
|
| BLAKE2b-256 |
8e14e45829b787725de4b67a20bfbb3287e7f6f54e16b3112f9375db7396da0a
|
File details
Details for the file chatsbom-0.2.8-py3-none-any.whl.
File metadata
- Download URL: chatsbom-0.2.8-py3-none-any.whl
- Upload date:
- Size: 36.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.10.0 {"installer":{"name":"uv","version":"0.10.0","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4f684acda26aaca72092bad97413587d1d3cd7a782325194114e1b7756909f0a
|
|
| MD5 |
f9bc7aeff23fd1a28d13f7eda13f0e6f
|
|
| BLAKE2b-256 |
bdff55a2ab5af5013d799585635357a8f7aed4300da62ca87e64cb56011b35cd
|
