End-to-end SBOM generation and vulnerability intelligence pipeline
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
sbom-sentinel
SBOM generation and vulnerability intelligence pipeline.
Wraps Syft and Grype behind a four-command CLI, enriches results with the CISA Known Exploited Vulnerabilities (KEV) catalog, and produces a timestamped Markdown report.
Installation
Requires Syft and Grype on PATH.
pip install sbom-sentinel
Quick Start
Run the full pipeline (SBOM + scan + report) in one command:
sbom-sentinel run --target ./myapp --name myapp --fail-on high
sbom-sentinel run --target docker:nginx:latest --name nginx --fail-on high
sbom-sentinel run --target https://github.com/org/repo --name repo --fail-on high
Or run each stage individually:
sbom-sentinel sbom --target ./myapp --name myapp
sbom-sentinel scan --sbom sbom_output/myapp_*.spdx.json --name myapp --fail-on high
sbom-sentinel report --scan artifacts/json/myapp_*.json --name myapp
Generate an HTML report instead of Markdown:
sbom-sentinel run --target ./myapp --name myapp --report-format html
Features
- SPDX-JSON SBOMs from local directories, container images, or Git URLs
- Vulnerability scanning via Grype with severity gating (
--fail-on) - CISA KEV enrichment with date-stamped local cache
- OpenVEX / CSAF suppression with KEV conflict detection
- Markdown or standalone HTML reports
- JSON or SARIF scan output for GitHub Code Scanning
- Verbose mode (
-v) for diagnostic output
Commands
| Command | Description |
|---|---|
sbom |
Generate an SPDX-JSON SBOM via Syft |
scan |
Scan an SBOM for vulnerabilities via Grype |
report |
Generate a Markdown or HTML report with KEV enrichment |
run |
Run the full pipeline (sbom + scan + report, or scan + report from an existing SBOM) |
Pass --help to any command for the full option reference.
VEX suppression
Pass an OpenVEX or CSAF document to suppress findings marked not_affected. Any suppressed CVE that also appears in CISA KEV is flagged as a conflict requiring manual review.
sbom-sentinel run --sbom sbom.spdx.json --name myapp --vex statements.vex.json
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Runtime error -- tool not found, scan threshold met, timeout, or parse failure |
| 2 | Usage error -- missing required option or invalid argument |
Development
git clone https://github.com/Dashtid/sbom-sentinel.git
cd sbom-sentinel
uv sync
uv run pytest
uv run ruff check .
uv run mypy sbom_sentinel
See CONTRIBUTING.md for full guidelines.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sbom_sentinel-1.0.0.tar.gz.
File metadata
- Download URL: sbom_sentinel-1.0.0.tar.gz
- Upload date:
- Size: 63.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.11.6 {"installer":{"name":"uv","version":"0.11.6","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f098f8d5affbde3517e10777aecc44b90c0edfeb7669080c6358436889e41cc3
|
|
| MD5 |
a7a497575f175f01707cef443372db01
|
|
| BLAKE2b-256 |
f4a8b7104ebfb23aa7c7154b3e4451e224a5b4a8c849a8c7d07a784b2f87cc3d
|
File details
Details for the file sbom_sentinel-1.0.0-py3-none-any.whl.
File metadata
- Download URL: sbom_sentinel-1.0.0-py3-none-any.whl
- Upload date:
- Size: 17.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.11.6 {"installer":{"name":"uv","version":"0.11.6","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
427894ec56dc78f71c9c9cf98b178c3dabc95ceba87803e0b0b06d4f22e746f0
|
|
| MD5 |
1e5f7ec73327e377f26cc443046e84a4
|
|
| BLAKE2b-256 |
5eae17fea3e11091f660eccfae106e0f89de9db2b60d7da2f0caec11f49164d9
|
