Open-source FDA/IEC-62304 compliance layer for medical device SBOMs
Project description
๐ฅ MedSBOM
Open-source FDA/IEC-62304 compliance layer for medical device SBOMs
Turn raw SBOM scans into FDA-submission-ready documentation in seconds, not weeks.
Quick Start โข Examples โข API Docs โข Contributing โข Sponsor
The Problem
Medical device manufacturers must (FDA 2023 guidance, PATCH Act, 2026 QMSR):
- Maintain Software Bills of Materials for every device
- Continuously monitor SOUP components for vulnerabilities
- Document a Secure Product Development Framework
- Produce audit-ready evidence of regular vulnerability review (IEC 62304 ยง7.1.3)
Today: Teams spend 40โ80 hours per device manually translating Syft/Grype/Trivy output into regulatory documents. Paid platforms charge $50Kโ$200K/year.
With MedSBOM: One command. Audit-ready docs in seconds. Free forever.
What MedSBOM Does
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SBOM Input โ โโโถ โ MedSBOM โ โโโถ โ FDA Premarket Summary โ
โ (SPDX/CDX) โ โ Engine โ โ SOUP Risk Assessment โ
โโโโโโโโโโโโโโโ โ โ โ Vulnerability Review Log โ
โ โข CVE match โ โ Audit Trail โ
โโโโโโโโโโโโโโโ โ โข KEV check โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ NVD + KEV โ โโโถ โ โข EOL check โ
โ feeds โ โ โข Risk scoreโ
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ
Quick Start
Install
pip install medsbom
Generate your SBOM (if you don't have one)
# Using Syft
syft dir:./my-firmware -o cyclonedx-json > my-device.sbom.json
# Using Trivy
trivy fs --format cyclonedx --output my-device.sbom.json ./my-project/
Run MedSBOM
# Check for vulnerabilities and EOL status
medsbom check my-device.sbom.json --device "Insulin Pump" --device-version "2.3.1"
# Generate FDA compliance documents
medsbom report my-device.sbom.json --format all --output ./compliance-docs/
That's it. You now have:
fda_premarket_summary.mdโ Maps to FDA 2023 Cybersecurity Guidance structuresoup_risk_assessment.mdโ IEC 62304 ยง7.1.3 SOUP register with risk levelsvulnerability_review_log.mdโ Timestamped audit evidence
Features
| Feature | Description |
|---|---|
| SBOM Ingestion | CycloneDX and SPDX JSON (from Syft, Trivy, or any scanner) |
| CVE Matching | Cross-reference against NVD with local caching |
| CISA KEV | Flag actively exploited vulnerabilities |
| EOL Detection | Check end-of-life status via endoflife.date |
| Risk Scoring | Composite score: CVSS + KEV + EOL proximity |
| FDA Docs | Premarket Cybersecurity Summary template |
| IEC 62304 | SOUP Risk Assessment table |
| Audit Trail | Immutable, append-only log for regulatory evidence |
| REST API | FastAPI server for integration and dashboards |
| Docker | Single container, no external dependencies |
CLI Commands
medsbom ingest <sbom-file> # Parse and validate an SBOM
medsbom check <sbom-file> # Vulnerability + EOL check
medsbom report <sbom-file> # Generate compliance documents
medsbom audit # View audit trail
medsbom version # Show version
API
Start the API server:
uvicorn medsbom.api.main:app --host 0.0.0.0 --port 8000
Endpoints:
GET /healthโ Health checkPOST /api/v1/scansโ Upload SBOM and run analysisGET /api/v1/scans/{id}โ Get scan resultsGET /api/v1/scans/{id}/report/{format}โ Generate report (fda/soup/vuln)GET /api/v1/auditโ Audit trail
Interactive docs at: http://localhost:8000/docs
Docker
# CLI mode
docker run --rm -v $(pwd):/data medsbom check /data/my-sbom.json
# API mode
docker compose -f docker/docker-compose.yml up
Configuration
| Environment Variable | Description | Default |
|---|---|---|
NVD_API_KEY |
NVD API key (recommended โ 10x faster) | None |
MEDSBOM_CACHE_DIR |
Local cache directory | ~/.medsbom/cache |
MEDSBOM_AUDIT_DB |
Audit database path | ~/.medsbom/audit.db |
Get a free NVD API key: https://nvd.nist.gov/developers/request-an-api-key
Important Disclaimer
โ ๏ธ REGULATORY NOTICE: MedSBOM generates DRAFT compliance documentation to assist with FDA/IEC-62304 workflows. This tool does NOT constitute legal or regulatory advice. All generated output must be reviewed and approved by a qualified regulatory professional before submission to any regulatory body. MedSBOM contributors accept no liability for regulatory decisions made based on this output.
Project Structure
medsbom/
โโโ cli/ # Typer CLI
โโโ core/
โ โโโ ingest.py # SBOM parsing (CycloneDX + SPDX)
โ โโโ cve_match.py # NVD + KEV vulnerability matching
โ โโโ eol_check.py # End-of-life checking
โ โโโ risk_score.py # Composite risk scoring
โ โโโ doc_generator.py # Jinja2 โ Markdown/PDF
โ โโโ audit.py # Append-only audit trail
โ โโโ models.py # Pydantic data models
โโโ api/ # FastAPI REST API
โโโ templates/ # Jinja2 regulatory doc templates
โโโ tests/ # Comprehensive test suite
โโโ examples/ # Sample SBOMs and usage guides
โโโ docker/ # Container deployment
Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
Especially welcome:
- Regulatory template improvements (FDA, IEC 62304, ISO 14971, EU MDR)
- Additional SBOM format support
- Integration with more scanners
- Translations of templates
Sponsor
MedSBOM is free and open source. If it saves your team time and money, consider supporting development:
- GitHub Sponsors โ Monthly or one-time support
- Open Collective โ Transparent community funding
- Buy Me a Coffee โ Quick one-time tips
For enterprise support contracts or custom template development, open an issue or email the maintainers.
License
Apache License 2.0 โ see LICENSE.
Chosen specifically for medical device companies: permissive, includes patent grant, no copyleft concerns for proprietary firmware integration.
Built for the medical device community. Free forever.
If MedSBOM helps your team, star the repo and tell your colleagues.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file medsbom-0.1.0.tar.gz.
File metadata
- Download URL: medsbom-0.1.0.tar.gz
- Upload date:
- Size: 57.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c2141c45ebae968a948f66d14b24464d9e57824c6ea5e39ddf97e50e23d912fe
|
|
| MD5 |
e2151b1d04bd74f9ebf88d5324a4f8d6
|
|
| BLAKE2b-256 |
0b5290f8ef4cb6daf1fd82092039fc539d04d20857f81ea469eaaccaee117e96
|
File details
Details for the file medsbom-0.1.0-py3-none-any.whl.
File metadata
- Download URL: medsbom-0.1.0-py3-none-any.whl
- Upload date:
- Size: 36.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1052271aacd17bf6c5f8915eaf21a3b34a5d64f21b6a486e07eaf5a310861e41
|
|
| MD5 |
daa4ed930fc4dc536a987feac7066109
|
|
| BLAKE2b-256 |
92cf20cfda70a3d8d83afbcdeb0178ece0fc485a5b834f702a5a1916295366e3
|