xbom icon indicating copy to clipboard operation
xbom copied to clipboard

Published 2 months ago â€ĸ verified publisher icon safedep
→

Metadata

Generate xBOMs enriched with AI, SaaS, Crypto and more using Static Code Analysis

SafeDep xBom

Generate BOMs enriched with AI, SaaS and more using Static Code Analysis

Go Report Card License Release OpenSSF Scorecard SLSA 3 CodeQL Go Reference

đŸŽ¯ Why xbom?

Modern applications rely on so much more than just open-source libraries. They often include:

  • AI SDKs 🧠
  • ML models 🤖
  • 3rd party SaaS APIs ☁ī¸
  • Cryptographic algorithms 🔑

xbom is designed to build comprehensive bill of material (BOM) for software dependencies beyond just 3rd party libraries, using semantic code analysis and simple YAML based signatures.

✅ Beyond Manifests - xbom builds inventory using actual evidence from your codebase

✅ Extensible Signatures - add your own signatures over community maintained repository

✅ Robust Compliance - single tool to comply with all your software supply chain compliances

✅ Multi-ecosystem support — Java, Python, Go and more coming up !

👀 xbom in action

xbom-cli

⚡ Quick Start

# Installation on macOS & Linux
brew install safedep/tap/xbom

or download a pre-built binary

# Generate BOM for your source code
xbom generate --dir /path/to/code --bom /path/to/bom.cdx.json

This will generate a CycloneDX v1.6 SBOM with AI components detected in the code base.

Supported Languages

Currently, xbom supports the following programming languages:

Language Status
Python ✅ Active
Java ✅ Active
Go ✅ Active
Javascript ✅ Active

Supported BOMs

AI

LangChain Anthropic
CrewAI OpenAI

Cloud

GCP Azure
ℹī¸ To request support for a new framework, please create an issue.

👀 Visual convenience

We generate BOMs as JSON files following CycloneDX SPEC. For a quick overview, you can view the BOM in an interactive HTML output linked in console output.

xbom-demo

Development

Signatures

xbom maintains community driven signatures for popular SDKs, APIs and libraries in signatures/ following file naming convention - signatures/$vendor/$product/$service.yml. To add new signatures, refer contributing signatures guide.

Contributing

Refer to CONTRIBUTING.md

Limitations

xbom is currently limited to AI BOM generation only. It uses static code analysis to identify AI products used in the code base. For generating a more comprehensive SBOM with library dependencies, you can use vet.

Telemetry

xbom collects anonymous telemetry to help us understand how it is used and improve the product. To disable telemetry, set XBOM_DISABLE_TELEMETRY environment variable to true.

export XBOM_DISABLE_TELEMETRY=true

← Metadata

21
Stars
2
Forks
21
Watchers

Owner

verified publisher icon safedep

Metadata

Generate xBOMs enriched with AI, SaaS, Crypto and more using Static Code Analysis

Back