End-to-end SBOM generation and vulnerability intelligence pipeline
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
sbom-sentinel
SBOM generation and vulnerability intelligence pipeline.
Wraps Syft and Grype behind a six-command CLI, enriches results with the CISA Known Exploited Vulnerabilities (KEV) catalog, and produces a timestamped Markdown report.
Installation
Requires Syft and Grype on PATH.
pip install sbom-sentinel
For PDF rendering (audit deliverables), install the optional extra:
pip install 'sbom-sentinel[pdf]'
PDF rendering uses WeasyPrint, which needs a GTK runtime on Windows — see the WeasyPrint install docs. On Linux/macOS the pip install is sufficient.
Quick Start
Run the full pipeline (SBOM + scan + report) in one command:
sbom-sentinel run --target ./myapp --name myapp --fail-on high
sbom-sentinel run --target docker:nginx:latest --name nginx --fail-on high
sbom-sentinel run --target https://github.com/org/repo --name repo --fail-on high
Or run each stage individually:
sbom-sentinel sbom --target ./myapp --name myapp
sbom-sentinel scan --sbom sbom_output/myapp_*.spdx.json --name myapp --fail-on high
sbom-sentinel report --scan artifacts/json/myapp_*.json --name myapp
Generate an HTML report instead of Markdown:
sbom-sentinel run --target ./myapp --name myapp --report-format html
Compare two scans to see what changed:
sbom-sentinel diff --old artifacts/json/myapp_old.json --new artifacts/json/myapp_new.json --name myapp
Convert the latest markdown report to PDF (after filling in Assessment / Conclusion blocks):
sbom-sentinel pdf
Features
- SPDX-JSON SBOMs from local directories, container images, or Git URLs
- Vulnerability scanning via Grype with severity gating (
--fail-on) - CISA KEV enrichment with date-stamped local cache
- OpenVEX / CSAF suppression with KEV conflict detection
- Markdown or standalone HTML reports
- PDF audit deliverables with auto-populated Assessment Matrix
- JSON or SARIF scan output for GitHub Code Scanning
- Verbose mode (
-v) for diagnostic output
Commands
| Command | Description |
|---|---|
sbom |
Generate an SPDX-JSON SBOM via Syft |
scan |
Scan an SBOM for vulnerabilities via Grype |
report |
Generate a Markdown or HTML report with KEV enrichment |
diff |
Compare two scans and report new / resolved CVEs |
pdf |
Convert a user-edited markdown report into a PDF audit deliverable |
run |
Run the full pipeline (sbom + scan + report, or scan + report from an existing SBOM) |
Pass --help to any command for the full option reference.
VEX suppression
Pass an OpenVEX or CSAF document to suppress findings marked not_affected. Any suppressed CVE that also appears in CISA KEV is flagged as a conflict requiring manual review.
sbom-sentinel run --sbom sbom.spdx.json --name myapp --vex statements.vex.json
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Runtime error -- tool not found, scan threshold met, timeout, or parse failure |
| 2 | Usage error -- missing required option or invalid argument |
Development
git clone https://github.com/Dashtid/sbom-sentinel.git
cd sbom-sentinel
uv sync
uv run pytest
uv run ruff check .
uv run mypy sbom_sentinel
See CONTRIBUTING.md for full guidelines.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sbom_sentinel-1.1.0.tar.gz.
File metadata
- Download URL: sbom_sentinel-1.1.0.tar.gz
- Upload date:
- Size: 106.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.11.7 {"installer":{"name":"uv","version":"0.11.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dc51299f728df7b261bbfae71209c8da005dfe3d91773d80a93c2b97c5311b2a
|
|
| MD5 |
feba8e25d121e517a438de97a2d7200d
|
|
| BLAKE2b-256 |
53f3f3bb5b7c85a0f713e5c14044617c83d25e954527eb307c414e8351f1ffa6
|
File details
Details for the file sbom_sentinel-1.1.0-py3-none-any.whl.
File metadata
- Download URL: sbom_sentinel-1.1.0-py3-none-any.whl
- Upload date:
- Size: 29.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.11.7 {"installer":{"name":"uv","version":"0.11.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2632d652507097e7ca8ce6f13f6b00154f12519dbb3323d6de8a5af9872a2d52
|
|
| MD5 |
e5a4db3b09b8f452b880d65c98335736
|
|
| BLAKE2b-256 |
b9c450545fd9efe1f138650db6d0516ca55e75abfdf47558b30bb31769849d50
|
