End-to-end SBOM generation and vulnerability intelligence pipeline
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
sbom-sentinel
End-to-end SBOM generation and vulnerability intelligence pipeline.
Wraps Syft and Grype behind a six-command CLI. Enriches results with the CISA Known Exploited Vulnerabilities (KEV) catalog, supports OpenVEX / CSAF suppression, and produces Markdown, HTML, or audit-ready PDF reports.
Installation
Requires Syft and Grype on PATH.
pip install sbom-sentinel
For PDF output, install the optional extra (needs a GTK runtime on Windows):
pip install 'sbom-sentinel[pdf]'
Quick start
Run the full pipeline against a directory, container image, or Git URL:
sbom-sentinel run --target ./myapp --name myapp --fail-on critical
sbom-sentinel run --target docker:nginx:1.27 --name nginx --fail-on critical
sbom-sentinel run --target https://github.com/org/repo --name repo --fail-on critical
Each stage is also available standalone:
sbom-sentinel sbom --target ./myapp --name myapp
sbom-sentinel scan --sbom sbom_output/myapp_*.spdx.json --name myapp
sbom-sentinel report --scan artifacts/json/myapp_*.json --name myapp
Commands
| Command | Purpose |
|---|---|
sbom |
Generate an SPDX-JSON SBOM via Syft |
scan |
Scan an SBOM via Grype, output JSON or SARIF |
report |
Render Markdown or HTML report with KEV enrichment |
diff |
Compare two scans, surface new / resolved CVEs |
pdf |
Convert an edited markdown report into a PDF audit deliverable |
run |
Orchestrate the full pipeline end-to-end |
Pass --help to any command for the complete option reference.
Workflows
VEX suppression with KEV conflict detection
sbom-sentinel run --sbom sbom.spdx.json --name myapp --vex statements.vex.json
Findings marked not_affected in the VEX document are suppressed. If a suppressed CVE is also in the CISA KEV catalog, the report flags it as a conflict requiring manual review.
PDF audit deliverables
sbom-sentinel run --target ./myapp --name myapp # produces markdown
$EDITOR artifacts/reports/markdown/myapp_*.md # fill Assessment + Conclusion blocks
sbom-sentinel pdf # latest markdown -> PDF
Each Conclusion blockquote should contain Not applicable, Acceptable, or Unacceptable. The PDF includes an auto-populated Assessment Matrix derived from those classifications. Unfilled entries are auto-classified by a heuristic (Negligible -> Not applicable; KEV-flagged Critical/High -> Unacceptable) or surfaced as Pending.
Diff between scans
sbom-sentinel diff \
--old artifacts/json/myapp_20260101.json \
--new artifacts/json/myapp_20260201.json \
--name myapp
Exit codes
| Code | Meaning |
|---|---|
0 |
Success |
1 |
Runtime error — tool not found, scan threshold met, timeout, or parse failure |
2 |
Usage error — missing required option or invalid argument |
Development
git clone https://github.com/Dashtid/sbom-sentinel.git
cd sbom-sentinel
uv sync
uv run pytest
Coverage gate: 100% line + 100% branch. Lint, type, and security checks all run in CI. See CONTRIBUTING.md for the full development guide and docs/ARCHITECTURE.md for an overview of the codebase.
License
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sbom_sentinel-1.1.1.tar.gz.
File metadata
- Download URL: sbom_sentinel-1.1.1.tar.gz
- Upload date:
- Size: 117.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.11.8 {"installer":{"name":"uv","version":"0.11.8","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b5170a3c0b9e70db211c40f460230cd48bda6b1db2185a3a95816584b8c7c60d
|
|
| MD5 |
80a39cde69227041ad4ccae59d0f3983
|
|
| BLAKE2b-256 |
e98cde84ab966d3a3007291e16a04c6deb8c6f07cb224062b0809d5d0d43a4fb
|
File details
Details for the file sbom_sentinel-1.1.1-py3-none-any.whl.
File metadata
- Download URL: sbom_sentinel-1.1.1-py3-none-any.whl
- Upload date:
- Size: 30.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.11.8 {"installer":{"name":"uv","version":"0.11.8","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cfd7c7f0dc591508dba1ad558aacaedbbc7627c89500cd05656da47141fbad03
|
|
| MD5 |
6d18a36cf18ea706bc2cfa1f452a9e00
|
|
| BLAKE2b-256 |
c2d8d3c609feb8feb5c9eb9f469062348b74a6c77a20b78d57858118f51a9367
|
