.png)
3 days ago
2
Generate BOMs enriched with AI, SaaS and more using Static Code Analysis
Modern applications rely on much more than just open-source libraries. They often include:
- AI SDKs 🧠
- ML models 🤖
- 3rd party SaaS APIs ☁️
- Cryptographic algorithms 🔑
✅ Beyond Manifests - xbom builds inventory using actual evidence from your codebase
✅ Extensible Signatures - add your own signatures over community maintained repository
✅ Robust Compliance - single tool to comply with all your software supply chain compliances
✅ Multi-ecosystem support — Java, Python and more coming up !
or download a pre-built binary
This will generate a CycloneDX v1.6 SBOM with AI components detected in the code base.
Currently, xbom supports the following programming languages:
| Python | ✅ Active |
| Java | ✅ Active |
| JavaScript | 🚧 WIP |
ℹ️ To request support for a new framework, please create an issue.
We generate BOMs as JSON files following CycloneDX SPEC. For a quick overview, you can view the BOM in an interactive HTML output linked in console output.
xbom maintains community driven signatures for popular SDKs, APIs and libraries in signatures/ following file naming convention - signatures/$vendor/$product/$service.yml. To add new signatures, refer contributing signatures guide.
Refer to CONTRIBUTING.md
xbom is currently limited to AI BOM generation only. It uses static code analysis to identify AI products used in the code base. For generating a more comprehensive SBOM with library dependencies, you can use vet.
xbom collects anonymous telemetry to help us understand how it is used and improve the product. To disable telemetry, set XBOM_DISABLE_TELEMETRY environment variable to true.
