CLI tu dong sinh SBOM cho project Python, Node.js va Docker image (wrap syft)
Project description
evo-sbom
A CLI that automatically generates SBOMs (Software Bill of Materials) for Python projects, Node.js projects, and Docker images.
evo-sbom is a UX layer (click + rich) wrapped around syft. The syft binary is downloaded automatically into ~/.evo-sbom/bin on first run (the version is pinned in src/evo_sbom/config.py).
Installation
From PyPI:
pip install evo-sbom
# or
uv tool install evo-sbom
From source:
uv sync
Usage
# Auto-detect Python / Node.js and generate both CycloneDX + SPDX
uv run evo-sbom scan .
# Scan a GitHub repo directly (cloned to a temp dir, then removed)
uv run evo-sbom scan maycuatroi1/evo-cli
uv run evo-sbom scan https://github.com/owner/repo
uv run evo-sbom scan owner/repo --branch dev
# Force the project type
uv run evo-sbom python ./my-python-app
uv run evo-sbom node ./my-node-app
# Docker image (image ref, docker-archive:, or oci-archive:)
uv run evo-sbom docker alpine:latest
uv run evo-sbom docker docker-archive:./image.tar
# Check / install the syft engine
uv run evo-sbom doctor
Common flags
-b, --branchbranch to clone (GitHub repo input onscanonly).-f, --format [cyclonedx|spdx|both](defaultboth).-o, --output PREFIX(defaultsbom) producessbom.cdx.json,sbom.spdx.json.--quietprints only the written file paths (for CI).
Output
*.cdx.json- CycloneDX JSON*.spdx.json- SPDX 2.3 JSON
Notes on unpinned dependencies
If a Python project declares its dependencies without pinned versions (no ==),
leaves pyproject.toml dependencies empty, or has no lock file, a source-directory
scan yields no Python packages, because syft needs resolved versions to catalog them.
In that case scan a resolved environment instead:
- Build the project's Docker image (its Dockerfile usually runs
pip install -r requirements.txt) and runevo-sbom docker <image>. This also captures OS/apt and base-image packages. - Or create a fresh virtualenv, install the project into it, and run
evo-sbom python <venv>.
Development
uv run pytest
Releasing
Pushing to main triggers .github/workflows/release.yml, which bumps the
version, builds, and publishes to PyPI via Trusted Publishing (OIDC, no token).
The bump type is derived from the latest commit message:
BREAKING CHANGEin the message -> major- message starting with
feat-> minor - anything else -> patch
A matching vX.Y.Z tag and GitHub Release are created automatically.
One-time PyPI setup (Trusted Publishing): on pypi.org create a pending publisher
for project evo-sbom with owner maycuatroi1, repo evo-sbom, workflow
release.yml.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file evo_sbom-0.1.1.tar.gz.
File metadata
- Download URL: evo_sbom-0.1.1.tar.gz
- Upload date:
- Size: 17.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
857f3f2fd9556486cd6ced4ce25535dd892ed95cee81be664fec97a512f4a299
|
|
| MD5 |
ecefde7b0aacc13bafa30395d977acfa
|
|
| BLAKE2b-256 |
62bc788f5af5ad16865e47c27924c9e01065a5bd3d6eecbbcc90d4b5dc9fb578
|
Provenance
The following attestation bundles were made for evo_sbom-0.1.1.tar.gz:
Publisher:
release.yml on maycuatroi1/evo-sbom
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
evo_sbom-0.1.1.tar.gz -
Subject digest:
857f3f2fd9556486cd6ced4ce25535dd892ed95cee81be664fec97a512f4a299 - Sigstore transparency entry: 1684242404
- Sigstore integration time:
-
Permalink:
maycuatroi1/evo-sbom@afd57289a140a196d05ad3d48a54ae6171f24a3f -
Branch / Tag:
refs/heads/main - Owner: https://github.com/maycuatroi1
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@afd57289a140a196d05ad3d48a54ae6171f24a3f -
Trigger Event:
push
-
Statement type:
File details
Details for the file evo_sbom-0.1.1-py3-none-any.whl.
File metadata
- Download URL: evo_sbom-0.1.1-py3-none-any.whl
- Upload date:
- Size: 9.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
779b62e742145fbf75dbb2fc0a785619065f91e6fc05cc16a1773fed3cd601a8
|
|
| MD5 |
695d77a74f6940d5e1d5c9d82b1d0a0e
|
|
| BLAKE2b-256 |
cf100aea2e1bb7f974e92438c01a7f8bd5d6128a8d899d8f4a21762b0e07f58f
|
Provenance
The following attestation bundles were made for evo_sbom-0.1.1-py3-none-any.whl:
Publisher:
release.yml on maycuatroi1/evo-sbom
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
evo_sbom-0.1.1-py3-none-any.whl -
Subject digest:
779b62e742145fbf75dbb2fc0a785619065f91e6fc05cc16a1773fed3cd601a8 - Sigstore transparency entry: 1684242544
- Sigstore integration time:
-
Permalink:
maycuatroi1/evo-sbom@afd57289a140a196d05ad3d48a54ae6171f24a3f -
Branch / Tag:
refs/heads/main - Owner: https://github.com/maycuatroi1
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@afd57289a140a196d05ad3d48a54ae6171f24a3f -
Trigger Event:
push
-
Statement type: