Hatchling build hook plugin for generating Software Bill of Materials (SBOM)

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Ichunjo from gravatar.com Ichunjo

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

hatch-sbom

PyPI - Version PyPI - Python Version Tests Lint License: MIT

A Hatchling build hook plugin to automatically generate a Software Bill of Materials (SBOM) during wheel creation using cyclonedx-py.

Usage

To use this plugin, you must configure your pyproject.toml to require both hatchling (>=1.28.0) and hatch-sbom in your build-system:

[build-system]
requires = ["hatchling>=1.28.0", "hatch-sbom"]
build-backend = "hatchling.build"

Next, configure the build hook specifically for the wheel target:

[tool.hatch.build.targets.wheel.hooks.sbom]
source = "requirements"
path = "requirements.txt"
format = "json"        # Optional, defaults to "json"
spec-version = "1.6"   # Optional, defaults to "1.6"

Supported Sources

The source field determines how the SBOM is built, mapping to the respective cyclonedx-py commands:

  • requirements: Build an SBOM from Pip requirements. The path option is optional; if omitted, the plugin will automatically look for requirements.txt.
  • poetry: Build an SBOM from a Poetry project. The path option is optional and defaults to the current directory.
  • pipenv: Build an SBOM from a Pipenv manifest. The path option is optional and defaults to the current directory.
  • environment: Build an SBOM from a Python environment. The path option is optional and defaults to the current directory.
  • uv: Build an SBOM using uv export. Requires a uv.lock file. The path option is optional and defaults to the current directory. Only supports json format and 1.5 spec-version.
  • pdm: Build an SBOM using pdm export and cyclonedx-py. Requires a pdm.lock file. The path option is optional and defaults to the current directory.

Source-Specific Arguments

You can pass extra arguments to the underlying tool (e.g., uv export, pdm export, or cyclonedx-py <source>) by creating a nested table named after the source.

This is useful for passing flags like --without, --no-dev, etc.

For example, to omit the dev and test groups when using Poetry:

[tool.hatch.build.targets.wheel.hooks.sbom.poetry]
without = ["dev", "test"]  # Appends `--without dev --without test`

To include all extras when using uv:

[tool.hatch.build.targets.wheel.hooks.sbom.uv]
all-extras = true  # Appends `--all-extras`

You can use the extra-args key to pass an arbitrary list of raw arguments:

[tool.hatch.build.targets.wheel.hooks.sbom.pipenv]
extra-args = ["--mc-type", "firmware"]

The generated SBOM file (e.g., sbom.cdx.json) will be automatically placed in the .dist-info/sboms/ directory of the resulting wheel.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Ichunjo from gravatar.com Ichunjo

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

0.4.0

0.3.0

This version

0.2.0

0.1.3

0.1.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hatch_sbom-0.2.0.tar.gz (78.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hatch_sbom-0.2.0-py3-none-any.whl (9.4 kB view details)

Uploaded Python 3

File details

Details for the file hatch_sbom-0.2.0.tar.gz.

File metadata

  • Download URL: hatch_sbom-0.2.0.tar.gz
  • Upload date:
  • Size: 78.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for hatch_sbom-0.2.0.tar.gz
Algorithm Hash digest
SHA256 a88ce2586838da6d1f0105123ef8fd4bb883c85b84b21e08df07619c5c42b6e1
MD5 c3351800d5ea95eefc97b0bed7519b20
BLAKE2b-256 8b5eef4636e51e9934302ae0112d49320710a9e84504855a1a66aa06a8973786

See more details on using hashes here.

Provenance

The following attestation bundles were made for hatch_sbom-0.2.0.tar.gz:

Publisher: cd-publish.yml on Ichunjo/hatch-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file hatch_sbom-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: hatch_sbom-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 9.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for hatch_sbom-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b291611987ba0867d15f9be392514df752de69d36a1ff2b9fb605ebdcc33f1a1
MD5 3f64f733010592467d8cc32162e89972
BLAKE2b-256 4211cadbcc4b7b8f43aeba8824c34ea40ee7743dc88f696fdcf11cd4e6761375

See more details on using hashes here.

Provenance

The following attestation bundles were made for hatch_sbom-0.2.0-py3-none-any.whl:

Publisher: cd-publish.yml on Ichunjo/hatch-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page