Skip to main content

CLI tu dong sinh SBOM cho project Python, Node.js va Docker image (wrap syft)

Project description

evo-sbom

A CLI that automatically generates SBOMs (Software Bill of Materials) for Python projects, Node.js projects, and Docker images.

evo-sbom is a UX layer (click + rich) wrapped around syft. The syft binary is downloaded automatically into ~/.evo-sbom/bin on first run (the version is pinned in src/evo_sbom/config.py).

Installation

From PyPI:

pip install evo-sbom
# or
uv tool install evo-sbom

From source:

uv sync

Usage

# Auto-detect Python / Node.js and generate both CycloneDX + SPDX
uv run evo-sbom scan .

# Scan a GitHub repo directly (cloned to a temp dir, then removed)
uv run evo-sbom scan maycuatroi1/evo-cli
uv run evo-sbom scan https://github.com/owner/repo
uv run evo-sbom scan owner/repo --branch dev

# Force the project type
uv run evo-sbom python ./my-python-app
uv run evo-sbom node ./my-node-app

# Docker image (image ref, docker-archive:, or oci-archive:)
uv run evo-sbom docker alpine:latest
uv run evo-sbom docker docker-archive:./image.tar

# Check / install the syft engine
uv run evo-sbom doctor

Common flags

  • -b, --branch branch to clone (GitHub repo input on scan only).
  • -f, --format [cyclonedx|spdx|both] (default both).
  • -o, --output PREFIX (default sbom) produces sbom.cdx.json, sbom.spdx.json.
  • --quiet prints only the written file paths (for CI).

Output

  • *.cdx.json - CycloneDX JSON
  • *.spdx.json - SPDX 2.3 JSON

Notes on unpinned dependencies

If a Python project declares its dependencies without pinned versions (no ==), leaves pyproject.toml dependencies empty, or has no lock file, a source-directory scan yields no Python packages, because syft needs resolved versions to catalog them. In that case scan a resolved environment instead:

  • Build the project's Docker image (its Dockerfile usually runs pip install -r requirements.txt) and run evo-sbom docker <image>. This also captures OS/apt and base-image packages.
  • Or create a fresh virtualenv, install the project into it, and run evo-sbom python <venv>.

Development

uv run pytest

Releasing

Pushing to main triggers .github/workflows/release.yml, which bumps the version, builds, and publishes to PyPI via Trusted Publishing (OIDC, no token). The bump type is derived from the latest commit message:

  • BREAKING CHANGE in the message -> major
  • message starting with feat -> minor
  • anything else -> patch

A matching vX.Y.Z tag and GitHub Release are created automatically.

One-time PyPI setup (Trusted Publishing): on pypi.org create a pending publisher for project evo-sbom with owner maycuatroi1, repo evo-sbom, workflow release.yml.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

evo_sbom-0.1.1.tar.gz (17.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

evo_sbom-0.1.1-py3-none-any.whl (9.7 kB view details)

Uploaded Python 3

File details

Details for the file evo_sbom-0.1.1.tar.gz.

File metadata

  • Download URL: evo_sbom-0.1.1.tar.gz
  • Upload date:
  • Size: 17.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for evo_sbom-0.1.1.tar.gz
Algorithm Hash digest
SHA256 857f3f2fd9556486cd6ced4ce25535dd892ed95cee81be664fec97a512f4a299
MD5 ecefde7b0aacc13bafa30395d977acfa
BLAKE2b-256 62bc788f5af5ad16865e47c27924c9e01065a5bd3d6eecbbcc90d4b5dc9fb578

See more details on using hashes here.

Provenance

The following attestation bundles were made for evo_sbom-0.1.1.tar.gz:

Publisher: release.yml on maycuatroi1/evo-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file evo_sbom-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: evo_sbom-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 9.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for evo_sbom-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 779b62e742145fbf75dbb2fc0a785619065f91e6fc05cc16a1773fed3cd601a8
MD5 695d77a74f6940d5e1d5c9d82b1d0a0e
BLAKE2b-256 cf100aea2e1bb7f974e92438c01a7f8bd5d6128a8d899d8f4a21762b0e07f58f

See more details on using hashes here.

Provenance

The following attestation bundles were made for evo_sbom-0.1.1-py3-none-any.whl:

Publisher: release.yml on maycuatroi1/evo-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page