Comprehensive SBOM generation and auditing tool for Firefly Open Banking Platform
Project description
Firefly SBOM Tool 🔒
A comprehensive Software Bill of Materials (SBOM) generation and security auditing tool for modern multi-technology stacks
Quick Installation • Quick Start • Key Features • Documentation • Contributing
🎯 Overview
The Firefly SBOM Tool is an enterprise-grade solution for generating Software Bill of Materials (SBOM) documents and performing comprehensive security audits across multiple programming languages and frameworks.
🆕 NEW: GitHub Organization Scanning with parallel processing and advanced filtering!
⭐ Key Features
- 🐙 GitHub Organization Scanning - Scan entire organizations with filtering by language, topics, type
- 🚀 Parallel Processing - High-performance scanning with configurable workers
- 📦 Multi-Language Support - Python, Java, Node.js, Go, Ruby, Rust, Flutter/Dart, and more
- 🛡️ Security Auditing - Vulnerability scanning using NVD, OSV, and GitHub Security Advisories
- 📊 Rich Reports - Interactive HTML, CycloneDX, SPDX, Markdown formats
- ⚡ High Performance - Efficient caching and batch processing
- 🐳 Container Ready - Full Docker support
- ⚙️ CI/CD Integration - GitHub Actions, GitLab CI, Jenkins ready
📦 Quick Installation
# Quick install (recommended)
curl -sSL https://raw.githubusercontent.com/firefly-oss/sbom-tool/main/install.sh | bash
# From PyPI
pip install firefly-sbom-tool
# From source
git clone https://github.com/firefly-oss/sbom-tool.git && cd sbom-tool && pip install -e .
# Docker
docker pull ghcr.io/firefly-oss/sbom-tool:latest
🚀 Quick Start
CI: GitHub Actions (Quick Example)
Add this workflow to .github/workflows/sbom.yml in your repository to run the scan on every push/PR:
name: SBOM Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install Firefly SBOM Tool
run: pip install firefly-sbom-tool
- name: Run SBOM scan (current repo)
run: firefly-sbom scan --path . --audit --format cyclonedx-json --format html --output sbom-report
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: sbom-reports
path: sbom-report*
For advanced CI usage, see the dedicated guide: docs/ci/github-actions.md.
Single Repository Scan
# Basic scan
firefly-sbom scan --path ./my-project
# With security audit
firefly-sbom scan --path ./my-project --audit --format html
🆕 GitHub Organization Scan
# Set GitHub token
export GITHUB_TOKEN="your_token_here"
# Scan entire organization
firefly-sbom scan-org --org firefly-oss --parallel 8 --audit
# Advanced filtering
firefly-sbom scan-org --org firefly-oss \
--languages Python JavaScript \
--topics microservice api \
--include-private --no-forks --no-archived \
--format html --format cyclonedx-json
Technology Detection
# Detect tech stack
firefly-sbom detect --path ./my-project
🛠️ Supported Technologies
| Language | Package Managers | Lock Files | Status |
|---|---|---|---|
| Python | pip, Poetry, Pipenv | requirements.txt, poetry.lock | ✅ Full support |
| Java | Maven | pom.xml | ✅ Multi-module support, improved license extraction |
| Node.js | npm, yarn, pnpm | package-lock.json, yarn.lock | ✅ Framework detection |
| Go | go modules | go.mod, go.sum | ✅ Replace directives |
| Ruby | Bundler | Gemfile.lock | ✅ Group dependencies |
| Rust | Cargo | Cargo.lock | ✅ Workspace support |
| Flutter/Dart | pub | pubspec.lock | ✅ SDK version tracking |
📚 Documentation
Comprehensive documentation is available in the docs/ directory:
- Installation Guide - Detailed installation methods
- GitHub Integration - Organization scanning guide
- Configuration - Complete configuration reference
- API Reference - Python API documentation
- Examples - Usage examples and templates
Quick Links
- Getting Started - Jump right in
- GitHub API Setup - Token configuration
- CI/CD Examples - Pipeline templates
- Changelog - Version history
🐳 Docker Usage
# Scan current directory
docker run --rm -v $(pwd):/workspace ghcr.io/firefly-oss/sbom-tool:latest scan --path /workspace
# Organization scan with GitHub token
docker run --rm -e GITHUB_TOKEN=$GITHUB_TOKEN -v $(pwd)/reports:/reports \
ghcr.io/firefly-oss/sbom-tool:latest scan-org --org firefly-oss --output-dir /reports
🤝 Contributing
We welcome contributions! See our Contributing Guide for details.
# Development setup
git clone https://github.com/firefly-oss/sbom-tool.git
cd sbom-tool
python -m venv venv && source venv/bin/activate
pip install -e ".[dev]"
pytest
📄 License
Licensed under the Apache License, Version 2.0. See LICENSE for details.
Made with ❤️ by the Firefly OSS Team
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file firefly_sbom_tool-1.0.0.tar.gz.
File metadata
- Download URL: firefly_sbom_tool-1.0.0.tar.gz
- Upload date:
- Size: 79.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a736ad0860b0ef6c18ba7b8cb41270691e1590562593c1266cbfccc01a58ebda
|
|
| MD5 |
66d352a8ec8c054ac9086310ddb4fbd2
|
|
| BLAKE2b-256 |
fb40c79a7da8053f470737bd27477b8ef06ed9d4535e11a6a9fffd23710ad577
|
File details
Details for the file firefly_sbom_tool-1.0.0-py3-none-any.whl.
File metadata
- Download URL: firefly_sbom_tool-1.0.0-py3-none-any.whl
- Upload date:
- Size: 87.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
abac94beeaa8498238936b141bf0c7df10317ab3dc8942291d33bd74bc86a68e
|
|
| MD5 |
c3aa299cfcba618a85f7146e5cd25923
|
|
| BLAKE2b-256 |
eac7a9ad5a695db548aa069b6fd9c57eb912865b245282ace17772a37420f858
|
