Hatchling build hook plugin for generating Software Bill of Materials (SBOM)
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
Hatch SBOM
| CI/CD |
|
|---|---|
| Package |
|
| Meta |
|
A Hatchling build hook plugin to automatically generate a Software Bill of Materials (SBOM) during wheel creation.
Usage
To use this plugin, configure your pyproject.toml to require both hatchling (>=1.28.0) and hatch-sbom in your build-system.
For a requirements.txt SBOM:
[build-system]
requires = ["hatchling>=1.28.0", "hatch-sbom[cdx]"]
build-backend = "hatchling.build"
The base install is minimal. Install extras only for the backend used by your selected source:
requirements,poetry,pipenv, andenvironmentusecyclonedx-pyand needhatch-sbom[cdx].uvusesuv exportdirectly and needshatch-sbom[uv].pdmuses bothpdm exportandcyclonedx-py, so it needshatch-sbom[pdm,cdx].
Next, configure the build hook specifically for the wheel target:
[tool.hatch.build.targets.wheel.hooks.sbom]
source = "requirements"
path = "requirements.txt"
format = "json" # Optional, defaults to "json"
spec-version = "1.6" # Optional, defaults to "1.6"
Supported Sources
The source field determines how the SBOM is built.
| Source | Requires | Backend | Path behavior |
|---|---|---|---|
requirements |
hatch-sbom[cdx] |
cyclonedx-py requirements |
Optional; defaults to requirements.txt when present. |
poetry |
hatch-sbom[cdx] |
cyclonedx-py poetry |
Optional; defaults to the current directory. |
pipenv |
hatch-sbom[cdx] |
cyclonedx-py pipenv |
Optional; defaults to the current directory. |
environment |
hatch-sbom[cdx] |
cyclonedx-py environment |
Optional; defaults to the current directory. |
uv |
hatch-sbom[uv] |
uv export |
Optional; defaults to the current directory. Requires uv.lock. |
pdm |
hatch-sbom[pdm,cdx] |
pdm export, then cyclonedx-py requirements |
Optional; defaults to the current directory. Requires pdm.lock. |
The uv source only supports json format and CycloneDX 1.5.
Source-Specific Arguments
You can pass extra arguments to the underlying tool (e.g., uv export, pdm export, or cyclonedx-py <source>) by creating a nested table named after the source.
This is useful for passing flags like --without, --no-dev, etc.
For example, to omit the dev and test groups when using Poetry:
[tool.hatch.build.targets.wheel.hooks.sbom.poetry]
without = ["dev", "test"] # Appends `--without dev --without test`
To include all extras when using uv:
[tool.hatch.build.targets.wheel.hooks.sbom.uv]
all-extras = true # Appends `--all-extras`
You can use the extra-args key to pass an arbitrary list of raw arguments:
[tool.hatch.build.targets.wheel.hooks.sbom.pipenv]
extra-args = ["--mc-type", "firmware"]
The generated SBOM file (e.g., sbom.cdx.json) will be automatically placed in the .dist-info/sboms/ directory of the resulting wheel.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file hatch_sbom-0.4.0.tar.gz.
File metadata
- Download URL: hatch_sbom-0.4.0.tar.gz
- Upload date:
- Size: 92.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a431b6f141e726c0c6e4a102791eb906e90010bc5d2e17a333b8816862e09236
|
|
| MD5 |
09d5667233afc7d8832b96c3130e2285
|
|
| BLAKE2b-256 |
96e3688a6a99fb05226ee34c0e25255eb0b4dbc051da6c5b34c1aa72ddd91c7c
|
Provenance
The following attestation bundles were made for hatch_sbom-0.4.0.tar.gz:
Publisher:
cd-publish.yml on Ichunjo/hatch-sbom
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
hatch_sbom-0.4.0.tar.gz -
Subject digest:
a431b6f141e726c0c6e4a102791eb906e90010bc5d2e17a333b8816862e09236 - Sigstore transparency entry: 1401803362
- Sigstore integration time:
-
Permalink:
Ichunjo/hatch-sbom@eb0d05957d506575943b23cf269236a8cde76f40 -
Branch / Tag:
refs/tags/v0.4.0 - Owner: https://github.com/Ichunjo
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
cd-publish.yml@eb0d05957d506575943b23cf269236a8cde76f40 -
Trigger Event:
push
-
Statement type:
File details
Details for the file hatch_sbom-0.4.0-py3-none-any.whl.
File metadata
- Download URL: hatch_sbom-0.4.0-py3-none-any.whl
- Upload date:
- Size: 7.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4e3bede4b7c30542793e5b929404813ce1a74abc929cd2d150063f29aadad24a
|
|
| MD5 |
df52a87de64eb66a572e20222df9676f
|
|
| BLAKE2b-256 |
e803bd32e9b8d02129f447b4b33bcb68e2b257bf96a072f94f768f7cfaefdaf5
|
Provenance
The following attestation bundles were made for hatch_sbom-0.4.0-py3-none-any.whl:
Publisher:
cd-publish.yml on Ichunjo/hatch-sbom
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
hatch_sbom-0.4.0-py3-none-any.whl -
Subject digest:
4e3bede4b7c30542793e5b929404813ce1a74abc929cd2d150063f29aadad24a - Sigstore transparency entry: 1401803438
- Sigstore integration time:
-
Permalink:
Ichunjo/hatch-sbom@eb0d05957d506575943b23cf269236a8cde76f40 -
Branch / Tag:
refs/tags/v0.4.0 - Owner: https://github.com/Ichunjo
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
cd-publish.yml@eb0d05957d506575943b23cf269236a8cde76f40 -
Trigger Event:
push
-
Statement type:
