Skip to main content

Inspects software bills of materials for ECZ-ID configuration references.

Project description

ECZ-ID SBOM Inspection

You have a CycloneDX or SPDX bill of materials and you want a fast, honest, offline answer to one question: does this SBOM carry an ECZ-ID configuration reference, and what does its inventory actually declare? ecz-id-sbom reads the document where it sits, reports what it observes, and routes you to the right place for anything beyond reading. It inspects, explains and routes only.

It never issues or activates an ECZ-ID, never determines BOUND, never calculates carts or prices, never creates proof, and never executes discovered project, agent, MCP or robot code. It is not a safety, approval, compliance, insurance or premium decision, and it is not a vulnerability assessment. It does not claim complete dependency discovery. Missing public proof is neutral: it carries no negative meaning and does not imply risk. Local policy decides. Re-check before reliance.

One-command first run

No account, no network, no configuration required. Run it straight from PyPI:

$ uvx ecz-id-sbom inspect .
# or
$ pipx run ecz-id-sbom inspect .

Or, once installed (pip install ecz-id-sbom):

$ ecz-id-sbom inspect ./path/to/project

Example result

ECZ-ID inspection: ./path/to/project [ecz-id-sbom]
A. configuration posture : PRESENT
B. public proof posture  : NOT_CHECKED  (neutral)
means        : Local ECZ-ID configuration was found for this subject. | Public Resolver proof was not checked.
does not mean: (neutral — see "What this does not mean" below)
reason codes : ECZ-1000, ECZ-2002

Findings are neutral and bounded — the format, spec version, inventory counts, attribute presence and any declared ECZ-ID identity hint — never a dump of the document. The optional public check is strictly opt-in (--check-public), so first runs are network-silent. A completed inspection always exits 0, whatever the posture.

Supported inputs

  • CycloneDX JSONbom.json, sbom.json, *.cdx.json, sample_sbom.cdx.json.
  • CycloneDX XMLbom.xml, *.cdx.xml (stdlib parser only).
  • SPDX JSON*.spdx.json.

Point it at a directory (bounded, symlink-refusing enumeration finds the first matching document) or at a single SBOM file.

Free capabilities

  • Format and spec-version detection (bomFormat / specVersion for CycloneDX; spdxVersion / SPDXID for SPDX).
  • Inventory count and per-item attribute presence — PURL, version, supplier, licence and checksum (counts, not contents).
  • ECZ-ID identity-hint discovery (ecz-id.identity_hint in properties or annotations, or a top-level identity_hint).
  • Declared product / release / repository / package relationship signals and provenance / attestation observations (presence and counts).
  • Neutral drift between two SBOMs (compare), and JSON, Markdown, text and SARIF output.
  • Fully offline: --offline or ECZ_ID_OFFLINE=1 skips every network call.

Unsupported inputs

  • It does not fetch remote SBOMs or resolve dependency graphs against package registries.
  • It does not score, rank or assess vulnerabilities.
  • It does not import, render or run anything it finds.
  • XML DTDs and entities are rejected, never expanded. A document declaring <!DOCTYPE or <!ENTITY is reported as a neutral INVALID posture and read no further, so entity-expansion tricks cannot execute.

What this means / what this does not mean

Means: a local, read-only observation of what the SBOM declares, plus an optional read-only look at public Resolver evidence.

Does not mean: it is not a safety, approval, compliance, insurance or premium decision. It is not a vulnerability assessment and does not claim to have discovered every dependency. A PRESENT posture does not mean the configuration is activated, bound or approved. Absence of public proof is neutral — it carries no negative meaning. Local policy decides; re-check before reliance.

Compare / drift

Show the neutral difference between a baseline SBOM and a current one:

$ ecz-id-sbom compare ./old ./new --json

It reports posture changes, added and removed reason codes, and added and removed findings — nothing more.

CI use

$ ecz-id-sbom inspect . --json > ecz-id-sbom.json    # exit 0 for any completed inspection
$ ecz-id-sbom inspect . --sarif > ecz-id-sbom.sarif  # SARIF 2.1.0 for code scanning
$ ecz-id-sbom doctor --json                            # environment / parser self-check

--sarif emits a SARIF 2.1.0 document whose findings are neutral note-level results, ready to upload to a code-scanning dashboard. Exit code is 0 for every completed inspection regardless of posture; non-zero only for genuine input or tool errors.

Machine-readable integration

Machine Interface · Manifest · Resolver · Operator setup · Developer guidance

Each installation includes structured machine-readable metadata for automation, CI and supported integrations. Every JSON report embeds a compact machine_interface object carrying the canonical roots and the safe, read-only actions.

The package runs locally to inspect, explain and route. It does not issue an ECZ-ID, write canonical truth, create public proof, price a cart, or replace Resolver proof.

$ ecz-id-sbom manifest --json      # structured machine-readable manifest
$ ecz-id-sbom capabilities --json  # Central Machine Interface manifest
$ ecz-id-sbom recheck . --json     # re-inspect with an opt-in public re-check

Operator setup, acquisition, lifecycle and repair happen in TrustOps — this package only routes you there.

Privacy

Bounded, read-only, local inspection. No telemetry, no source upload, and it never follows symlinks or escapes the inspected root. The optional public check sends a lookup key only, over HTTPS, to the validated Resolver host. Likely secrets are redacted from every export.

Continue with ECZ-ID

Licence and trademarks

Apache-2.0 (see LICENSE, NOTICE). The code licence grants no trademark rights; "ECZ-ID" and "EcoCitizenz" are trademarks of their owner(s) — see TRADEMARKS.md. Changelog: CHANGELOG.md. Security policy: SECURITY.md.

CLI: ecz-id-sbom  |  Import: ecz_id_sbom  |  Plugin group: ecz_id.plugins

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ecz_id_sbom-0.1.1.tar.gz (18.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ecz_id_sbom-0.1.1-py3-none-any.whl (19.1 kB view details)

Uploaded Python 3

File details

Details for the file ecz_id_sbom-0.1.1.tar.gz.

File metadata

  • Download URL: ecz_id_sbom-0.1.1.tar.gz
  • Upload date:
  • Size: 18.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ecz_id_sbom-0.1.1.tar.gz
Algorithm Hash digest
SHA256 e8ad01cc377d8258032b2846376cddbb8d440b93ed9a8f6afa89cf36ac71f9fe
MD5 eccb6838f36fceebd2b9f5ed3bc19eb2
BLAKE2b-256 60e4cb23ee30d1e2a4295e2a50862719f9beb075a060405f63c3f43502a27e5c

See more details on using hashes here.

Provenance

The following attestation bundles were made for ecz_id_sbom-0.1.1.tar.gz:

Publisher: publish-ecz-id-sbom.yml on Ecocitizenz/ecz-id-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ecz_id_sbom-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: ecz_id_sbom-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 19.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ecz_id_sbom-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 c15d285d8a9b0e708a06ba69099fc92be3ee6749548dd5776fc8a454561bfbc8
MD5 45f74d2173733c89f573b8162f5d36c6
BLAKE2b-256 2951ed1904e1f6a13093b522a2f5a22c5948f2f421022434dd742b8039f62c32

See more details on using hashes here.

Provenance

The following attestation bundles were made for ecz_id_sbom-0.1.1-py3-none-any.whl:

Publisher: publish-ecz-id-sbom.yml on Ecocitizenz/ecz-id-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page