Hatchling build hook plugin for generating Software Bill of Materials (SBOM)

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Ichunjo from gravatar.com Ichunjo

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

hatch-sbom

PyPI - Version PyPI - Python Version Tests Lint License: MIT

A Hatchling build hook plugin to automatically generate a Software Bill of Materials (SBOM) during wheel creation using cyclonedx-py.

Usage

To use this plugin, you must configure your pyproject.toml to require both hatchling (>=1.28.0) and hatch-sbom in your build-system:

[build-system]
requires = ["hatchling>=1.28.0", "hatch-sbom"]
build-backend = "hatchling.build"

Next, configure the build hook specifically for the wheel target:

[tool.hatch.build.targets.wheel.hooks.sbom]
source = "requirements"
path = "requirements.txt"
format = "json"        # Optional, defaults to "json"
spec-version = "1.6"   # Optional, defaults to "1.6"

Supported Sources

The source field determines how the SBOM is built, mapping to the respective cyclonedx-py commands:

  • requirements: Build an SBOM from Pip requirements. The path option is optional; if omitted, the plugin will automatically look for requirements.txt.
  • poetry: Build an SBOM from a Poetry project. The path option is optional and defaults to the current directory.
  • pipenv: Build an SBOM from a Pipenv manifest. The path option is optional and defaults to the current directory.
  • environment: Build an SBOM from a Python environment. The path option is optional and defaults to the current directory.
  • uv: Build an SBOM using uv export. Requires a uv.lock file. The path option is optional and defaults to the current directory. Only supports json format and 1.5 spec-version.
  • pdm: Build an SBOM using pdm export and cyclonedx-py. Requires a pdm.lock file. The path option is optional and defaults to the current directory.

Source-Specific Arguments

You can pass extra arguments to the underlying tool (e.g., uv export, pdm export, or cyclonedx-py <source>) by creating a nested table named after the source.

This is useful for passing flags like --without, --no-dev, etc.

For example, to omit the dev and test groups when using Poetry:

[tool.hatch.build.targets.wheel.hooks.sbom.poetry]
without = ["dev", "test"]  # Appends `--without dev --without test`

To include all extras when using uv:

[tool.hatch.build.targets.wheel.hooks.sbom.uv]
all-extras = true  # Appends `--all-extras`

You can use the extra-args key to pass an arbitrary list of raw arguments:

[tool.hatch.build.targets.wheel.hooks.sbom.pipenv]
extra-args = ["--mc-type", "firmware"]

The generated SBOM file (e.g., sbom.cdx.json) will be automatically placed in the .dist-info/sboms/ directory of the resulting wheel.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Ichunjo from gravatar.com Ichunjo

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

0.4.0

0.3.0

0.2.0

This version

0.1.3

0.1.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hatch_sbom-0.1.3.tar.gz (77.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hatch_sbom-0.1.3-py3-none-any.whl (9.1 kB view details)

Uploaded Python 3

File details

Details for the file hatch_sbom-0.1.3.tar.gz.

File metadata

  • Download URL: hatch_sbom-0.1.3.tar.gz
  • Upload date:
  • Size: 77.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for hatch_sbom-0.1.3.tar.gz
Algorithm Hash digest
SHA256 882615d77bd468d63c6db9f1b9f4159b8a7e6b47801b509593e483adc88d1eba
MD5 5f0eefcd7b043a5a306e014cc8e9489e
BLAKE2b-256 3e0a48dbc113fe134279050f111c00f85f6db55d07e3dbbc0d2a8cf9d5f7ed22

See more details on using hashes here.

Provenance

The following attestation bundles were made for hatch_sbom-0.1.3.tar.gz:

Publisher: cd-publish.yml on Ichunjo/hatch-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file hatch_sbom-0.1.3-py3-none-any.whl.

File metadata

  • Download URL: hatch_sbom-0.1.3-py3-none-any.whl
  • Upload date:
  • Size: 9.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for hatch_sbom-0.1.3-py3-none-any.whl
Algorithm Hash digest
SHA256 44d557d82cb72258f4492bd6ed5ec42e0b322536b746b52c59974417c472fd9c
MD5 68fe271bdc242e6ac32c8a1d80ed0999
BLAKE2b-256 9e2e492d7fab0d8747c65080c5722101e1e80ac87e288a831ff0e1116153b31b

See more details on using hashes here.

Provenance

The following attestation bundles were made for hatch_sbom-0.1.3-py3-none-any.whl:

Publisher: cd-publish.yml on Ichunjo/hatch-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page