Hatchling build hook plugin for generating Software Bill of Materials (SBOM)

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Ichunjo from gravatar.com Ichunjo

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Vardë
  • Maintainer: Vardë
  • Tags build-hook , cyclonedx , hatch , hatchling , sbom
  • Requires: Python >=3.10
  • Provides-Extra: cdx , pdm , uv
Classifiers
Report project as malware

Project description

hatch-sbom

PyPI - Version PyPI - Python Version Tests Lint License: MIT

A Hatchling build hook plugin to automatically generate a Software Bill of Materials (SBOM) during wheel creation.

Usage

To use this plugin, configure your pyproject.toml to require both hatchling (>=1.28.0) and hatch-sbom in your build-system.

For a requirements.txt SBOM:

[build-system]
requires = ["hatchling>=1.28.0", "hatch-sbom[cdx]"]
build-backend = "hatchling.build"

The base install is minimal. Install extras only for the backend used by your selected source:

  • requirements, poetry, pipenv, and environment use cyclonedx-py and need hatch-sbom[cdx].
  • uv uses uv export directly and needs hatch-sbom[uv].
  • pdm uses both pdm export and cyclonedx-py, so it needs hatch-sbom[pdm,cdx].

Next, configure the build hook specifically for the wheel target:

[tool.hatch.build.targets.wheel.hooks.sbom]
source = "requirements"
path = "requirements.txt"
format = "json"        # Optional, defaults to "json"
spec-version = "1.6"   # Optional, defaults to "1.6"

Supported Sources

The source field determines how the SBOM is built.

Source Requires Backend Path behavior
requirements hatch-sbom[cdx] cyclonedx-py requirements Optional; defaults to requirements.txt when present.
poetry hatch-sbom[cdx] cyclonedx-py poetry Optional; defaults to the current directory.
pipenv hatch-sbom[cdx] cyclonedx-py pipenv Optional; defaults to the current directory.
environment hatch-sbom[cdx] cyclonedx-py environment Optional; defaults to the current directory.
uv hatch-sbom[uv] uv export Optional; defaults to the current directory. Requires uv.lock.
pdm hatch-sbom[pdm,cdx] pdm export, then cyclonedx-py requirements Optional; defaults to the current directory. Requires pdm.lock.

The uv source only supports json format and CycloneDX 1.5.

Source-Specific Arguments

You can pass extra arguments to the underlying tool (e.g., uv export, pdm export, or cyclonedx-py <source>) by creating a nested table named after the source.

This is useful for passing flags like --without, --no-dev, etc.

For example, to omit the dev and test groups when using Poetry:

[tool.hatch.build.targets.wheel.hooks.sbom.poetry]
without = ["dev", "test"]  # Appends `--without dev --without test`

To include all extras when using uv:

[tool.hatch.build.targets.wheel.hooks.sbom.uv]
all-extras = true  # Appends `--all-extras`

You can use the extra-args key to pass an arbitrary list of raw arguments:

[tool.hatch.build.targets.wheel.hooks.sbom.pipenv]
extra-args = ["--mc-type", "firmware"]

The generated SBOM file (e.g., sbom.cdx.json) will be automatically placed in the .dist-info/sboms/ directory of the resulting wheel.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Ichunjo from gravatar.com Ichunjo

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Vardë
  • Maintainer: Vardë
  • Tags build-hook , cyclonedx , hatch , hatchling , sbom
  • Requires: Python >=3.10
  • Provides-Extra: cdx , pdm , uv
Classifiers

Release history Release notifications | RSS feed

0.4.0

This version

0.3.0

0.2.0

0.1.3

0.1.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hatch_sbom-0.3.0.tar.gz (78.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hatch_sbom-0.3.0-py3-none-any.whl (7.2 kB view details)

Uploaded Python 3

File details

Details for the file hatch_sbom-0.3.0.tar.gz.

File metadata

  • Download URL: hatch_sbom-0.3.0.tar.gz
  • Upload date:
  • Size: 78.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for hatch_sbom-0.3.0.tar.gz
Algorithm Hash digest
SHA256 931320149777195bbdb604fb8fbf987131e1d6a42128c758b4e757dc3602449f
MD5 8fd72d4dfb263c4ba658ec1ab68802c7
BLAKE2b-256 407bfb4fdfbd56ec495e853740a8ed07613ba387185c5abb2993e91b5bdedc45

See more details on using hashes here.

Provenance

The following attestation bundles were made for hatch_sbom-0.3.0.tar.gz:

Publisher: cd-publish.yml on Ichunjo/hatch-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file hatch_sbom-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: hatch_sbom-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 7.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for hatch_sbom-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 bbc01dd927a7235086ebb96618bdf91e2ac777348bcd89d64e7f2cab3a26f271
MD5 4b5d6e175c3988c7012318c0acdbbe02
BLAKE2b-256 4dd43e64bbfa13ba04105719fbea41aee8a577c963151cdab916caf42e92b22e

See more details on using hashes here.

Provenance

The following attestation bundles were made for hatch_sbom-0.3.0-py3-none-any.whl:

Publisher: cd-publish.yml on Ichunjo/hatch-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page