tools.yaml

---

# `description` will be truncated at 250 characters
# `categories` values MUST be the keys from `tool-categories.yml` file

- name: CycloneDX Core for Java
  publisher: CycloneDX
  description: Library which facilitates the creation of SBOMs from Java objects,
    parsing of existing SBOMs into an object model, and validation of SBOMs
  repoUrl: https://github.com/CycloneDX/cyclonedx-core-java
  websiteUrl: https://github.com/CycloneDX/cyclonedx-core-java
  categories:
  - opensource
  - library
- name: CycloneDX for .NET
  publisher: CycloneDX
  description: Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
  repoUrl: https://github.com/CycloneDX/cyclonedx-dotnet
  websiteUrl: https://www.nuget.org/packages/CycloneDX/
  categories:
  - opensource
  - build-integration
- name: CycloneDX Libraries for .NET
  publisher: CycloneDX
  description: ".NET libraries to consume and produce CycloneDX Software Bill of Materials (SBOM)"
  repoUrl: https://github.com/CycloneDX/cyclonedx-dotnet-library
  websiteUrl: https://www.nuget.org/profiles/CycloneDX
  categories:
  - opensource
  - library
- name: CycloneDX JavaScript Library
  publisher: CycloneDX
  description: Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser) written in TypeScript.
  repoUrl: https://github.com/CycloneDX/cyclonedx-javascript-library
  websiteUrl: https://www.npmjs.com/package/%40cyclonedx/cyclonedx-library
  categories:
  - opensource
  - library
- name: CycloneDX for Node.js
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs for Node.js projects.
  repoUrl: https://github.com/CycloneDX/cyclonedx-node-module
  websiteUrl: https://www.npmjs.com/package/%40cyclonedx/bom
  categories:
  - opensource
  - build-integration
- name: CycloneDX for NPM
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs for Node.js NPM projects.
  repoUrl: https://github.com/CycloneDX/cyclonedx-node-npm
  websiteUrl: https://www.npmjs.com/package/%40cyclonedx/cyclonedx-npm
  categories:
  - opensource
  - build-integration
- name: CycloneDX for Yarn
  publisher: CycloneDX
  description: Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.
  repoUrl: https://github.com/CycloneDX/cyclonedx-node-yarn
  websiteUrl: https://yarnpkg.com/package?name=%40cyclonedx%2Fyarn-plugin-cyclonedx
  categories:
  - opensource
  - build-integration
- name: CycloneDX for Webpack
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs for frontend Javascript applications that have
    been bundled with webpack.
  repoUrl: https://github.com/CycloneDX/cyclonedx-webpack-plugin
  websiteUrl: https://github.com/CycloneDX/cyclonedx-webpack-plugin
  categories:
  - opensource
  - build-integration
- name: CycloneDX for Maven
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs for Java (Maven) projects
  repoUrl: https://github.com/CycloneDX/cyclonedx-maven-plugin
  websiteUrl: https://github.com/CycloneDX/cyclonedx-maven-plugin
  categories:
  - opensource
  - build-integration
- name: CycloneDX library for Go
  publisher: CycloneDX
  description: Go library to consume and produce CycloneDX Software Bill of Materials
    (SBOM)
  repoUrl: https://github.com/CycloneDX/cyclonedx-go
  websiteUrl: https://github.com/CycloneDX/cyclonedx-go
  categories:
  - opensource
  - library
- name: CycloneDX for Go modules
  publisher: CycloneDX
  description: Creates CycloneDX Software Bill of Materials (SBOM) from Go modules
  repoUrl: https://github.com/CycloneDX/cyclonedx-gomod
  websiteUrl: https://github.com/CycloneDX/cyclonedx-gomod
  categories:
  - opensource
  - build-integration
- name: CycloneDX for Gradle
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs for Java (Gradle) projects
  repoUrl: https://github.com/CycloneDX/cyclonedx-gradle-plugin
  websiteUrl: https://plugins.gradle.org/plugin/org.cyclonedx.bom
  categories:
  - opensource
  - build-integration
- name: CycloneDX for PHP Composer
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs for PHP Composer projects
  repoUrl: https://github.com/CycloneDX/cyclonedx-php-composer
  websiteUrl: https://packagist.org/packages/cyclonedx/cyclonedx-php-composer
  categories:
  - opensource
  - build-integration
- name: CycloneDX PHP Library
  publisher: CycloneDX
  description: Work with CycloneDX data format in PHP
  repoUrl: https://github.com/CycloneDX/cyclonedx-php-library
  websiteUrl: https://packagist.org/packages/cyclonedx/cyclonedx-library
  categories:
  - opensource
  - library
- name: CycloneDX for Python
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs for Python projects
  repoUrl: https://github.com/CycloneDX/cyclonedx-python
  websiteUrl: https://pypi.org/project/cyclonedx-bom/
  categories:
  - opensource
  - build-integration
- name: CycloneDX Python Library
  publisher: CycloneDX
  description: Python Library for generating CycloneDX SBOMs
  repoUrl: https://github.com/CycloneDX/cyclonedx-python-lib
  websiteUrl: https://pypi.org/project/cyclonedx-python-lib/
  categories:
  - opensource
  - library
- name: CycloneDX for Ruby Gems
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs for Ruby projects
  repoUrl: https://github.com/CycloneDX/cyclonedx-ruby-gem
  websiteUrl: https://rubygems.org/gems/cyclonedx-ruby
  categories:
  - opensource
  - build-integration
- name: CycloneDX for Rust Cargo
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs for Rust Cargo projects
  repoUrl: https://github.com/CycloneDX/cyclonedx-rust-cargo
  websiteUrl: https://crates.io/crates/cyclonedx-bom
  categories:
  - opensource
  - build-integration
- name: CycloneDX for SBT (Scala)
  publisher: Fabrizio Di Giuseppe
  description: Creates CycloneDX SBOMs for SBT (Scala) projects
  repoUrl: https://github.com/siculo/sbt-bom
  websiteUrl: https://github.com/siculo/sbt-bom
  categories:
  - opensource
  - build-integration
- name: CycloneDX for Erlang/Elixir (Mix)
  publisher: Bram Verburg
  description: Creates CycloneDX SBOMs for Mix projects
  repoUrl: https://github.com/voltone/sbom
  websiteUrl: https://hex.pm/packages/sbom
  categories:
  - opensource
  - build-integration
- name: CycloneDX for Erlang/Elixir (Rebar3)
  publisher: Bram Verburg
  description: Creates CycloneDX SBOMs for Rebar3 projects
  repoUrl: https://github.com/voltone/rebar3_sbom
  websiteUrl: https://hex.pm/packages/rebar3_sbom
  categories:
  - opensource
  - build-integration
- name: CycloneDX for Go
  publisher: OZON
  description: Creates CycloneDX SBOMs for Go projects
  repoUrl: https://github.com/ozonru/cyclonedx-go
  websiteUrl: https://github.com/ozonru/cyclonedx-go
  categories:
  - opensource
  - build-integration
- name: CycloneDX for Bower
  publisher: Hans Thorhauge Dam
  description: Creates CycloneDX SBOMs for Javascript projects using Bower
  repoUrl: https://github.com/hanstdam/cdx-bower-bom
  websiteUrl: https://www.npmjs.com/package/cdx-bower-bom
  categories:
  - opensource
  - build-integration
- name: cdxgen
  publisher: CycloneDX
  description: Creates CycloneDX Software Bill of Materials (SBOM) for multiple languages,
    container images, and OS. Use as a CLI tool or integrate as a library
  repoUrl: https://github.com/CycloneDX/cdxgen
  websiteUrl: https://github.com/CycloneDX/cdxgen
  categories:
  - opensource
  - build-integration
- name: CycloneDX-Buildroot
  publisher: CycloneDX
  description: The CycloneDX-buildroot module creates a valid CycloneDX
    bill of materials from buildroot manifest.csv files. Note that any formatted manifest.csv can
    be parsed for an arbitrary project spread sheet of software packages as indicated in the documentation.
  repoUrl: https://github.com/CycloneDX/cyclonedx-buildroot
  websiteUrl: https://github.com/CycloneDX/cyclonedx-buildroot
  categories:
  - opensource
  - build-integration
- name: Eclipse SW360 Antenna
  publisher: Eclipse
  description: Creates CycloneDX SBOMs from Maven projects
  repoUrl: https://github.com/eclipse/antenna
  websiteUrl: https://www.eclipse.org/antenna
  categories:
  - opensource
  - build-integration
- name: CycloneDX Node.js Generate SBOM
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs from Node.js (NPM) projects via GitHub action
  repoUrl: https://github.com/CycloneDX/gh-node-module-generatebom
  websiteUrl: https://github.com/marketplace/actions/cyclonedx-node-js-generate-sbom
  categories:
  - opensource
  - github-action
- name: CycloneDX .NET Generate SBOM
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs from .NET projects via GitHub action
  repoUrl: https://github.com/CycloneDX/gh-dotnet-generate-sbom
  websiteUrl: https://github.com/marketplace/actions/cyclonedx-net-generate-sbom
  categories:
  - opensource
  - github-action
- name: CycloneDX PHP Composer Generate SBOM
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs from PHP Composer projects via GitHub action
  repoUrl: https://github.com/CycloneDX/gh-php-composer-generate-sbom
  websiteUrl: https://github.com/marketplace/actions/cyclonedx-php-composer-generate-sbom
  categories:
  - opensource
  - github-action
- name: CycloneDX Python Generate SBOM
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs from Python projects via GitHub action
  repoUrl: https://github.com/CycloneDX/gh-python-generate-sbom
  websiteUrl: https://github.com/marketplace/actions/cyclonedx-python-generate-sbom
  categories:
  - opensource
  - github-action
- name: Generate SBoM for Elixir project
  publisher: Red Shirts
  description: Creates CycloneDX SBOMs from Erlang/Elixir Mix projects via GitHub
    action
  repoUrl: https://github.com/red-shirts/action-mix-sbom
  websiteUrl: https://github.com/marketplace/actions/generate-sbom-for-elixir-project
  categories:
  - opensource
  - github-action
- name: OSS Review Toolkit (ORT)
  publisher: OSS Review Toolkit
  description: A suite of tools to assist with reviewing Open Source Software dependencies.
  repoUrl: https://github.com/oss-review-toolkit/ort
  websiteUrl: http://oss-review-toolkit.org/
  categories:
  - opensource
  - build-integration
  - transform
  - library
- name: Retire.js
  publisher: RetireJS
  description: Scanner that detects the use of JavaScript libraries with known vulnerabilities
  repoUrl: https://github.com/RetireJS/retire.js
  websiteUrl: https://retirejs.github.io/retire.js
  categories:
  - opensource
- name: Dependency-Track
  publisher: OWASP
  description: Supply Chain Component Analysis platform that allows organizations
    to identify and reduce risk from the use of third-party and open source components
  repoUrl: https://github.com/DependencyTrack/dependency-track
  websiteUrl: https://dependencytrack.org/
  categories:
  - opensource
  - analysis
- name: Dependency-Track Jenkins Plugin
  publisher: OWASP
  description: Publishes SBOMs to Dependency-Track for per-build analysis, result
    visualization, and configurable risk thresholds
  repoUrl: https://github.com/jenkinsci/dependency-track-plugin
  websiteUrl: https://plugins.jenkins.io/dependency-track
  categories:
  - opensource
  - build-integration
- name: Dependency-Track Maven Plugin
  publisher: Paul McKeown
  description: Maven plugin that integrates with a Dependency-Track server to submit
    SBOMs and optionally fail execution when vulnerable dependencies are found.
  repoUrl: https://github.com/pmckeown/dependency-track-maven-plugin
  websiteUrl: https://github.com/pmckeown/dependency-track-maven-plugin#readme
  categories:
  - opensource
  - build-integration
- name: dtrack-audit
  publisher: OZON
  description: Publishes SBOMs to Dependency-Track for analysis and displays visualization
    from the command-line
  repoUrl: https://github.com/ozonru/dtrack-audit
  websiteUrl: https://github.com/ozonru/dtrack-audit
  categories:
  - opensource
  - build-integration
- name: ShiftLeft Scan
  publisher: ShiftLeft
  description: An open-source security tool for modern DevSecOps teams that can detect
    various kinds of security flaws in your application and infrastructure code in
    a single fast scan
  repoUrl: https://github.com/ShiftLeftSecurity/sast-scan
  websiteUrl: https://www.shiftleft.io/scan/
  categories:
  - opensource
  - analysis
- name: SCANOSS
  publisher: SCANOSS
  description: An open source inventory engine built for modern development teams
  repoUrl: https://github.com/scanoss/engine
  websiteUrl: https://scanoss.com/
  categories:
  - opensource
  - analysis
- name: oss_inventory
  publisher: Thiago Pinto
  description: Import CycloneDX BOMs and see OSS statistics
  repoUrl: https://github.com/thspinto/oss_inventory
  websiteUrl: https://github.com/thspinto/oss_inventory
  categories:
  - opensource
  - analysis
- name: Auditjs
  publisher: Sonatype
  description: Audits an NPM package.json file to identify known vulnerabilities
  repoUrl: https://github.com/sonatype-nexus-community/auditjs
  websiteUrl: https://github.com/sonatype-nexus-community/auditjs
  categories:
  - opensource
  - build-integration
- name: Chelsea
  publisher: Sonatype
  description: Dependency vulnerability auditor for Ruby
  repoUrl: https://github.com/sonatype-nexus-community/chelsea
  websiteUrl: https://github.com/sonatype-nexus-community/chelsea
  categories:
  - opensource
  - build-integration
- name: Jake
  publisher: Sonatype
  description: An OSS Index integration to check your Conda environments for vulnerable
    Open Source packages
  repoUrl: https://github.com/sonatype-nexus-community/jake
  websiteUrl: https://github.com/sonatype-nexus-community/jake
  categories:
  - opensource
  - build-integration
- name: Nancy
  publisher: Sonatype
  description: A tool to check for vulnerabilities in your Golang dependencies, powered
    by Sonatype OSS Index
  repoUrl: https://github.com/sonatype-nexus-community/nancy
  websiteUrl: https://github.com/sonatype-nexus-community/nancy
  categories:
  - opensource
  - build-integration
- name: Go Sonatypes
  publisher: Sonatype
  description: Common utility packages for working with OSS Index, Nexus IQ Server,
    CycloneDX SBOMs or getting a user-agent
  repoUrl: https://github.com/sonatype-nexus-community/go-sona-types
  websiteUrl: https://github.com/sonatype-nexus-community/go-sona-types
  categories:
  - opensource
  - library
- name: Valaa Stack
  publisher: Valaa Technologies
  description: SBoMDoc is a VDoc extension which uses CycloneDX namespaces and can
    emit BOM documents in various formats
  repoUrl: https://github.com/valaatech/kernel
  websiteUrl: https://valospace.org/
  categories:
  - opensource
  - transform
- name: Nexus IQ
  publisher: Sonatype
  description: Software Composition Analysis (SCA) platform that can consume, analyze,
    and produce CycloneDX SBOMs
  websiteUrl: https://www.sonatype.com/product-nexus-lifecycle
  categories:
  - proprietary
  - analysis
- name: Nexus Lifecycle Jenkins Plugin
  publisher: Sonatype
  description: Publishes CycloneDX SBOMs to Nexus IQ for per-build analysis, result
    visualization, and policy evaluation
  repoUrl: https://github.com/jenkinsci/nexus-platform-plugin
  websiteUrl: https://plugins.jenkins.io/nexus-jenkins-plugin
  categories:
  - opensource
  - build-integration
- name: MedScan
  publisher: MedSec
  description: Consumes SBOM’s for helping hospitals manage medical device assets
  websiteUrl: https://www.medsec.com/medscan/
  categories:
  - proprietary
  - analysis
- name: Reliza Hub
  publisher: Reliza
  description: Publishes Reliza Hub metadata as SBOM for use in other tools or ingests
    SBOMs produced in other tools to update Reliza Hub metadata
  websiteUrl: https://relizahub.com/
  categories:
  - proprietary
- name: SwiftBOM
  publisher: CERT Coordination Center (CERT/CC)
  description: Generates SBOMs for demo and PoC purposes
  repoUrl: https://github.com/CERTCC/SBOM
  websiteUrl: https://sbom.democert.org/sbom/
  categories:
  - opensource
  - author
- name: DtrackAuditor
  publisher: Thinksabin
  description: Publishes SBOMs to Dependency-Track for analysis and results through
    command line.
  repoUrl: https://github.com/thinksabin/DTrackAuditor
  websiteUrl: https://github.com/thinksabin/DTrackAuditor
  categories:
  - opensource
  - build-integration
- name: Syft
  publisher: Anchore
  description: CLI tool and library for generating a Software Bill of Materials from
    container images and filesystems.
  repoUrl: https://github.com/anchore/syft
  websiteUrl: https://github.com/anchore/syft
  categories:
  - opensource
  - build-integration
  - library
- name: Grype
  publisher: Anchore
  description: A vulnerability scanner for container images and filesystems.
  repoUrl: https://github.com/anchore/grype
  websiteUrl: https://github.com/anchore/grype
  categories:
  - opensource
  - build-integration
- name: CycloneDX CLI
  publisher: CycloneDX
  description: >
    A command line tool incorporating many common utilities including:
    alter an SBOM,
    convert between SBOM formats,
    merge multiple SBOMs,
    sign an SBOM file,
    validate an SBOM,
    verify signatures in an SBOM
  repoUrl: https://github.com/CycloneDX/cyclonedx-cli
  websiteUrl: https://github.com/CycloneDX/cyclonedx-cli
  categories:
  - opensource
  - transform
  - signing-notary
  - analysis
- name: CycloneDX Web Tool
  publisher: CycloneDX
  description: >
    A web based tool incorporating many common utilities including:
    convert between SBOM formats,
    merge multiple SBOMs,
    validate an SBOM
  repoUrl: https://github.com/CycloneDX/cyclonedx-web-tool
  websiteUrl: https://cyclonedx.github.io/cyclonedx-web-tool/
  categories:
  - opensource
  - transform
- name: CycloneDX Rust
  publisher: Mark Dodgson
  description: A Rust library to encode and decode the CycloneDX object model
  repoUrl: https://github.com/doddi/cyclonedx-rust
  websiteUrl: https://github.com/doddi/cyclonedx-rust
  categories:
  - opensource
  - library
- name: CycloneDX for Cocoapods
  publisher: CycloneDX
  description: Creates CycloneDX SBOMs for iOS Objective-C and Swift projects
  repoUrl: https://github.com/CycloneDX/cyclonedx-cocoapods
  websiteUrl: https://github.com/CycloneDX/cyclonedx-cocoapods
  categories:
  - opensource
  - build-integration
- name: mdbom
  publisher: Robert Hansel
  description: Transforms CycloneDX SBOMs to Markdown
  repoUrl: https://github.com/HaRo87/mdbom
  websiteUrl: https://haro87.github.io/mdbom/
  categories:
  - opensource
  - transform
- name: OpenRewrite
  publisher: OpenRewrite Project
  description: Rewrite is a mass refactoring system, designed to eliminate technical
    debt across an engineering. The project can generate CycloneDX SBOMs when refactoring
  repoUrl: https://github.com/openrewrite/rewrite
  websiteUrl: https://github.com/openrewrite/rewrite
  categories:
  - opensource
- name: Defect Dojo
  publisher: OWASP
  description: Open source vulnerability management and automation platform that can
    import CycloneDX SBOMs containing vulnerability information
  repoUrl: https://github.com/DefectDojo/django-DefectDojo
  websiteUrl: https://www.defectdojo.org/
  categories:
  - opensource
  - analysis
- name: OSS Inventory
  publisher: Thiago Pinto
  description: Imports CycloneDX SBOMs and visualizes OSS statistics
  repoUrl: https://github.com/thspinto/oss_inventory
  websiteUrl: https://github.com/thspinto/oss_inventory
  categories:
  - opensource
- name: Fortress File Integrity Assurance
  publisher: Fortress Information Security
  description: Creates SBOM from binary or archive, consumes externally provided SBOM,
    enriches SBOM with Fortress risk analysis, integrates via API to support continuous
    monitoring of software assurance.
  websiteUrl: https://fortressinfosec.com/solutions/file-integrity-assurance
  categories:
  - proprietary
  - analysis
- name: Fortress Asset 2 Vendor
  publisher: Fortress Information Security
  description: Comprehensive Cyber Supply Chain Risk Management data library that
    ingests, analyzes and securely shares SBOMs, HBOMs and other supply chain attestations
    via SaaS and permissioned blockchain solutions to facilitate Supplier to Asset
    Owner trust conversations.
  websiteUrl: https://assettovendor.com/
  categories:
  - proprietary
  - distribute
- name: Software Assurance Guardian Point Man
  publisher: Reliable Energy Analytics LLC
  description: SAG-PM processes CycloneDX SBOM’s as part of a seven step software
    supply chain risk assessment
  websiteUrl: https://reliableenergyanalytics.com/products
  categories:
  - proprietary
  - analysis
- name: Cybeats SBOM Studio
  publisher: Cybeats Technologies Inc.
  description: Manage SBOMs at scale and proactively discover & reduce risk across the entire
    software supply chain, from development through deployment.
  websiteUrl: https://cybeats.com
  categories:
  - proprietary
  - author
  - analysis
  - transform
  - build-integration
  - distribute
- name: TrustSource
  publisher: TrustSource
  description: TrustSource is a SaaS platform for implementing and maintaining open
    source compliance (ISO 5230 compliant). It can import CycloneDX, match them with
    its own information and add them to projects as modules for further analysis.
  websiteUrl: https://www.trustsource.io/
  categories:
  - proprietary
  - analysis
- name: JDisc Discovery
  publisher: JDisc
  description: Network discovery and IT inventory that can discover CycloneDX SBOMs
    on enterprise assets and ingest component inventory into the platform.
  websiteUrl: https://www.jdisc.com/
  categories:
  - proprietary
  - analysis
- name: PulseUno Plugin for Dimensions CM
  publisher: Micro Focus
  description: PulseUno enables development teams to continually build and inspect
    the health and quality of code using plugins such as CycloneDX. Teams can use
    this information to help decide when changes are ready to be merged, deployed,
    and released.
  websiteUrl: https://www.microfocus.com/en-us/products/dimensions-cm
  categories:
  - proprietary
  - build-integration
- name: CycloneDX GoMod Generate SBOM
  publisher: CycloneDX
  description: GitHub action which generates CycloneDX SBOMs from Go modules
  repoUrl: https://github.com/CycloneDX/gh-gomod-generate-sbom
  websiteUrl: https://github.com/marketplace/actions/cyclonedx-gomod-generate-sbom
  categories:
  - opensource
  - github-action
- name: BOM Repository Server
  publisher: CycloneDX
  description: 'A lightweight repository server used to publish, manage, and distribute
    CycloneDX SBOMs '
  repoUrl: https://github.com/CycloneDX/cyclonedx-bom-repo-server
  websiteUrl: https://github.com/CycloneDX/cyclonedx-bom-repo-server
  categories:
  - opensource
  - distribute
- name: ittosai
  publisher: DevOps KungFu Masters
  description: ittosai is a CycloneDX SBOM vulnerability analyzer that analyzes SBOMs
    every time a developer commits code to a repository
  repoUrl: https://github.com/devops-kung-fu/ittosai
  websiteUrl: https://dkfm.io/
  categories:
  - opensource
  - analysis
- name: CodeSentry
  publisher: GrammaTech
  description: Software Composition Analysis (SCA) platform that leverages binary
    analysis to identify components, inherited risk, and communicates inventory through
    CycloneDX SBOMs
  websiteUrl: https://www.grammatech.com/codesentry-sca
  categories:
  - proprietary
  - analysis
- name: Heimdall
  publisher: Medcrypt
  description: Automatically extract or manually upload your Software Bill of Materials
    (SBOM), and Heimdall will, on a continual basis, identify known vulnerabilities
    affecting your software components
  websiteUrl: https://medcrypt.com/heimdall.html
  categories:
  - proprietary
  - analysis
- name: Contrast Security
  publisher: Contrast Security
  description: Automatically generates component inventory from runtime analysis (IAST
    or RASP) and generates CycloneDX SBOMs
  websiteUrl: https://www.contrastsecurity.com/
  categories:
  - proprietary
  - analysis
- name: Salus
  publisher: Coinbase
  description: Salus is a tool for coordinating the execution of security scanners.
    Salus can generate CycloneDX SBOMs from many language ecosystems.
  repoUrl: https://github.com/coinbase/salus
  websiteUrl: https://github.com/coinbase/salus
  categories:
  - opensource
  - analysis
  - build-integration
- name: Codenotary vcn
  publisher: Codenotary
  description: Protects an organizations software development pipeline from supply
    chain attacks. Codenotary natively supports CycloneDX SBOMs.
  repoUrl: https://github.com/codenotary/vcn
  websiteUrl: https://codenotary.com/
  categories:
  - opensource
  - signing-notary
- name: CodeNotary CAS
  publisher: CodeNotary
  description: CAS is an open source attestation service for the community. Notarize
    and authorize files, directories, git repos and Build SBOMs of containers. CAS
    natively supports CycloneDX SBOMs.
  repoUrl: https://github.com/codenotary/cas
  websiteUrl: https://cas.codenotary.com/
  categories:
  - opensource
  - signing-notary
- name: Codenotary CAS Notarize Docker Image and SBOM
  publisher: Codenotary
  description: A GitHub Action which notarizes and creates an SBOM for Docker images.
  repoUrl: https://github.com/codenotary/cas-notarize-docker-image-bom-github-action
  websiteUrl: https://cas.codenotary.com/
  categories:
  - opensource
  - signing-notary
  - github-action
- name: Codenotary CAS Authenticate Docker Image and SBOM
  publisher: Codenotary
  description: A GitHub Action which authenticates notarized Docker images and SBOMs.
  repoUrl: https://github.com/codenotary/cas-authenticate-docker-bom-github-action
  websiteUrl: https://cas.codenotary.com/
  categories:
  - opensource
  - signing-notary
  - github-action
- name: Cosign
  publisher: Sigstore
  description: Container Signing, Verification and Storage in an OCI registry, including
    CycloneDX SBOMs
  repoUrl: https://github.com/sigstore/cosign
  websiteUrl: https://sigstore.dev/
  categories:
  - opensource
  - signing-notary
- name: Tern
  publisher: Tern
  description: Tern is a software composition analysis tool and Python library that
    generates a Software Bill of Materials for container images and Dockerfiles.
  repoUrl: https://github.com/tern-tools/tern
  websiteUrl: https://github.com/tern-tools/tern
  categories:
  - opensource
  - analysis
  - build-integration
- name: Cybellum SBOM
  publisher: Cybellum Technologies LTD.
  description: Analyzes binary artifacts to generate SBoM including context based
    analysis to perform accurate vulnerability assessment
  websiteUrl: https://cybellum.com
  categories:
  - proprietary
  - analysis
- name: Scancode Toolkit
  publisher: nexB
  description: ScanCode detects licenses, copyrights, package manifests & dependencies
    and more by scanning code to discover and inventory open source and third-party
    packages.
  repoUrl: https://github.com/nexB/scancode-toolkit
  websiteUrl: https://github.com/nexB/scancode-toolkit
  categories:
  - opensource
  - analysis
- name: swift-package-sbom-generator
  publisher: Mattt
  description: A software bill of materials (SBOM) generator for Swift packages
  repoUrl: https://github.com/mattt/swift-package-sbom
  websiteUrl: https://github.com/mattt/swift-package-sbom
  categories:
  - opensource
  - build-integration
- name: SRC:CLR SBOM Generator
  publisher: Veracode
  description: Generates a Software Bill of Materials in CycloneDX JSON Format from
    Veracode SCA Agent results.
  repoUrl: https://github.com/veracode/srcclr_sbom_gen
  websiteUrl: https://github.com/veracode/srcclr_sbom_gen
  categories:
  - opensource
  - transform
- name: NowSecure Platform
  publisher: NowSecure
  description: NowSecure automates security and privacy testing of mobile applications
    through static and dynamic binary analysis. NowSecure identifies packages and
    native components bundled with mobile apps and exports inventory in CycloneDX
    format.
  websiteUrl: https://www.nowsecure.com/
  categories:
  - proprietary
  - analysis
- name: Ion Channel Platform
  publisher: Ion Channel
  description: Ion Channel is a software supply chain assurance platform that transforms
    software inventory data into positive control of known and potential risks. Ion
    Channel consumes, analyzes, and exports CycloneDX SBOMs.
  websiteUrl: https://ionchannel.io/
  categories:
  - proprietary
  - analysis
- name: CycloneDX for Conan1
  publisher: CycloneDX
  description: Creates CycloneDX Software Bill of Materials (SBOM) for C/C++ projects
    using Conan (archived project)
  repoUrl: https://github.com/CycloneDX/cyclonedx-conan
  websiteUrl: https://github.com/CycloneDX/cyclonedx-conan
  categories:
  - opensource
  - build-integration
- name: CycloneDX for Conan2
  publisher: Conan-IO
  description: Creates CycloneDX Software Bill of Materials (SBOM) for C/C++ projects
    using Conan-extension
  repoUrl: https://github.com/conan-io/conan-extensions
  websiteUrl: https://github.com/conan-io/conan-extensions
  categories:
  - opensource
  - build-integration
- name: Checkov
  publisher: Checkov
  description: Prevent cloud misconfigurations during build-time for Terraform, Cloudformation,
    Kubernetes, Serverless framework and other infrastructure-as-code-languages with
    Checkov by Bridgecrew. Can output to CycloneDX.
  repoUrl: https://github.com/bridgecrewio/checkov
  websiteUrl: https://www.checkov.io/
  categories:
  - opensource
  - analysis
- name: SBOM CLI
  publisher: Defense Unicorns
  description: Creates CycloneDX SBOMs from Kubernetes Helm charts
  repoUrl: https://github.com/defenseunicorns/sbom-cli
  websiteUrl: https://github.com/defenseunicorns/sbom-cli
  categories:
  - opensource
  - build-integration
- name: CxSCA
  publisher: Checkmarx
  description: Checkmarx SCA is a Software Composition Analysis (SCA) platform that
    can produce CycloneDX SBOMs
  websiteUrl: https://checkmarx.com/product/cxsca-open-source-scanning
  categories:
  - proprietary
  - analysis
- name: Ochrona CLI
  publisher: Ochrona
  description: A command line tool for detecting vulnerabilities in Python dependencies
    and doing safe package installs. Output CycloneDX of all dependencies.
  repoUrl: https://github.com/ochronasec/ochrona-cli
  websiteUrl: https://ochrona.dev/
  categories:
  - opensource
  - analysis
  - build-integration
- name: pip-audit
  publisher: Trail of Bits
  description: Audits Python environments and dependency trees for known vulnerabilities.
    Generates CycloneDX SBOM of vulnerable components.
  repoUrl: https://github.com/trailofbits/pip-audit
  websiteUrl: https://github.com/trailofbits/pip-audit
  categories:
  - opensource
  - build-integration
  - analysis
- name: RKVST SBOM Hub
  publisher: RKVST
  description: A free SaaS repo to find and fetch public or private CycloneDX v1.4
    BOMs. RKVST sustains and enhances SaaS/S/H/C-BOM or VEX publishing and consumption
    by tracing provenance, governing permissioned distribution and proving immutable
    assurance...
  repoUrl: https://github.com/jitsuin-inc/archivist-samples
  websiteUrl: https://sbom.rkvst.io
  categories:
  - proprietary
  - distribute
- name: WpBom
  publisher: Sepbit
  description: WordPress integration with OWASP CycloneDX and Dependency Track
  repoUrl: https://github.com/sepbit/wpbom
  websiteUrl: https://wordpress.org/plugins/wpbom/
  categories:
  - opensource
  - build-integration
- name: Meterian BOSS scanner
  publisher: Meterian
  description: Software composition analysis for codebases providing precise and comprehensive
    CycloneDX SBOMs for open source and private source code projects. Supports all
    major ecosystems Java, NodeJS, .NET, Go, Rust, Swift, Python, Ruby, PHP, C/C++,
    Perl
  websiteUrl: https://meterian.io/products/boss
  categories:
  - proprietary
  - github-action
  - build-integration
- name: Spack
  publisher: Spack
  description: Spack is a package manager for supercomputers, Linux, and macOS. The
    package managers can export inventory in CycloneDX.
  repoUrl: https://github.com/spack/spack-sbom
  websiteUrl: https://spack.io/
  categories:
  - opensource
  - build-integration
- name: build-info-go
  publisher: JFrog
  description: build-info-go is a Go library and a CLI, which allows generating build-info
    and CycloneDX for a source code project.
  repoUrl: https://github.com/jfrog/build-info-go
  websiteUrl: https://github.com/jfrog/build-info-go
  categories:
  - opensource
  - build-integration
- name: Kyverno
  publisher: Kyverno
  description: Kyverno is a policy engine designed for Kubernetes. It can validate,
    mutate, and generate configurations using admission controls and background scans.
  repoUrl: https://github.com/kyverno/kyverno
  websiteUrl: https://github.com/kyverno/kyverno
  categories:
  - opensource
- name: jbom
  publisher: Contrast Security
  description: jbom generates a CycloneDX Software Bill of Materials (SBOM) for apps
    on a running JVM
  repoUrl: https://github.com/Contrast-Security-OSS/jbom
  websiteUrl: https://github.com/Contrast-Security-OSS/jbom
  categories:
  - opensource
- name: KICS
  publisher: Checkmarx
  description: Find security vulnerabilities, compliance issues, and infrastructure
    misconfigurations early in the development cycle of your infrastructure-as-code
    with KICS by Checkmarx.
  repoUrl: https://github.com/Checkmarx/kics
  websiteUrl: https://www.kics.io/
  categories:
  - opensource
- name: Xray
  publisher: JFrog
  description: JFrog Xray is a software composition analysis (SCA) solution that proactively
    identifies vulnerabilities and license violations in open source. Xray generates
    CycloneDX SBOMs.
  websiteUrl: https://jfrog.com/xray/
  categories:
  - proprietary
- name: apt2sbom
  publisher: Eliot Lear
  description: Build an SBOM out of APT and python information
  websiteUrl: https://github.com/elear/apt2sbom
  repoUrl: https://github.com/elear/apt2sbom
  categories:
  - opensource
  - build-integration
- name: NetRise Turbine
  publisher: NetRise
  description: NetRise Turbine is a firmware analysis platform that creates SBOMs
    by analyzing binary artifacts and other key components such as configuration files,
    credentials and cryptographic artifacts for maximum visibility and holistic risk
    identification.
  websiteUrl: https://www.netrise.io/
  categories:
  - proprietary
- name: Rebom
  publisher: Reliza
  websiteUrl: https://rebomdemo.relizahub.com
  repoUrl: https://github.com/relizaio/rebom
  description: Rebom by Reliza is an open source catalog of Software Bills of Materials
    that supports CycloneDX in JSON format
  categories:
  - opensource
  - distribute
- name: cve-bin-tool
  publisher: Intel
  description: CVE bin tool scans for a number of common, vulnerable components to
    let you know if your system includes common libraries with known vulnerabilities
    and outputs into CycloneDX format.
  repoUrl: https://github.com/intel/cve-bin-tool
  websiteUrl: https://cve-bin-tool.readthedocs.io/en/latest/
  categories:
  - opensource
  - analysis
- name: Jetstack Secure
  publisher: Jetstack
  description: Jetstack Secure manages your machine identities across Cloud Native
    Kubernetes and OpenShift environments and builds a detailed view of the enterprise
    security posture.
  repoUrl: https://github.com/jetstack/jetstack-secure
  websiteUrl: https://www.jetstack.io/jetstack-secure/
  categories:
  - opensource
- name: Keysight IoT Security Assessment
  publisher: Keysight
  description: Keysight Automated Firmware Analysis, part of the Keysight IoT Security Assessment product, delivers highly accurate SBOMs and identifies CVEs, misconfigurations, hardcoded credentials, weak cryptography, and potential zero-day vulnerabilities.
  websiteUrl: https://www.keysight.com/be/en/products/network-security/iot-security-assessment.html
  categories:
  - proprietary
- name: Ko
  publisher: Google
  description: Build and deploy Go applications on Kubernetes. Generates CycloneDX
    SBOMs for all project dependencies.
  repoUrl: https://github.com/google/ko
  websiteUrl: https://github.com/google/ko
  categories:
  - opensource
  - build-integration
- name: Sonatype Lift
  publisher: Sonatype
  description: Sonatype Lift is a cloud-native, collaborative, code analysis platform
    built for developers. It analyzes each developer pull request to find and fix
    security, performance, reliability, and style issues, and generates CycloneDX
    SBOMs.
  repoUrl: https://lift.sonatype.com/
  websiteUrl: https://lift.sonatype.com/
  categories:
  - proprietary
  - build-integration
- name: spdxcyclone
  publisher: Gary O'Neall
  description: Prototype utility that converts SBOM documents between SPDX and CycloneDX.
  repoUrl: https://github.com/goneall/spdxcyclone
  websiteUrl: https://github.com/goneall/spdxcyclone
  categories:
  - opensource
  - transform
- name: Trivy
  publisher: Aqua Security
  description: Trivy is an open source cloud native security scanner. It can scan a variety
    of targets (containers, code repositories, VMs, clusters), and find there a variety of
    security issues (vulnerabilities, SBOM, misconfigurations, licenses). Trivy has first
    class support for CycloneDX as a standard SBOM format.
  repoUrl: https://github.com/aquasecurity/trivy
  websiteUrl: https://aquasecurity.github.io/trivy/
  categories:
  - opensource
  - build-integration
  - analysis
  - transform
- name: Apiiro
  publisher: Apiiro
  description: Apiiro enables security & development teams to proactively remediate
    critical risks in their cloud-native applications such as design flaws, secrets,
    IaC misconfigurations, API & OSS vulnerabilities across the software supply chain.
  websiteUrl: https://apiiro.com/
  categories:
  - proprietary
  - analysis
  - build-integration
- name: Gemnasium
  publisher: GitLab
  description: Dependency Scanning analyzer that uses the GitLab Advisory Database
    and generates CycloneDX SBOMs.
  websiteUrl: https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium
  categories:
  - proprietary
  - analysis
  - build-integration
- name: Lagoon Insights Handler
  publisher: Lagoon
  description: Lagoon is an application delivery platform for Kubernetes that supports
    the consumption of CycloneDX SBOMs as part of the Insights Handler component.
  repoUrl: https://github.com/uselagoon/insights-handler
  websiteUrl: https://lagoon.sh/
  categories:
  - opensource
  - build-integration
- name: SnykVulnCheck
  publisher: Andrii Grytsenko
  description: SnykVulnCheck analyzes the contents of CycloneDX SBOMs and evaluates
    components for known vulnerabilities by using public APIs to Snyk Vulnerability
    DB.
  repoUrl: https://github.com/Andrii-Grytsenko-OWASP/SnykVulnCheck
  websiteUrl: https://github.com/Andrii-Grytsenko-OWASP/SnykVulnCheck
  categories:
  - opensource
  - analysis
- name: apko
  publisher: Chainguard
  description: Build OCI images using APK directly without Dockerfile. Generates CycloneDX
    SBOMs for containers using native SBOM functionality in apk-tools v3.0 and higher.
  repoUrl: https://github.com/chainguard-dev/apko
  websiteUrl: https://apko.dev/
  categories:
  - opensource
  - build-integration
- name: OSV
  publisher: Google
  description: OSV is an open source vulnerability database and triage service. OSV
    includes a scanner that accepts CycloneDX SBOMs as input and identifies known
    vulnerabilities in components using the OSV service.
  repoUrl: https://github.com/google/osv
  websiteUrl: https://osv.dev/
  categories:
  - opensource
  - analysis
- name: docker-sbom-cli-plugin
  publisher: Docker
  description: Plugin for Docker CLI that generates CycloneDX SBOMs.
  repoUrl: https://github.com/docker/docker-sbom-cli-plugin
  websiteUrl: https://github.com/docker/docker-sbom-cli-plugin
  categories:
  - opensource
  - build-integration
- name: ThreatMapper
  publisher: Deepfence
  description: Deepfence ThreatMapper hunts for vulnerabilities in production platforms,
    ranks vulnerabilities based on their risk-of-exploit, and generates CycloneDX
    SBOMs.
  repoUrl: https://github.com/deepfence/ThreatMapper
  websiteUrl: https://deepfence.io/
  categories:
  - opensource
  - analysis
- name: JupiterOne
  publisher: JupiterOne
  description: Easily identify, map, analyze, and secure cyber assets and attack surface.
    Gain full visibility into complex cloud environments to uncover threats, close
    compliance gaps, and prioritize risk. Consumes and analyzes CycloneDX SBOMs.
  websiteUrl: https://jupiterone.com/
  categories:
  - proprietary
  - analysis
- name: Veracode
  publisher: Veracode
  description: API to output SBOM in CycloneDX (JSON) format based on Veracode's software
    composition analysis (SCA) scan.
  websiteUrl: https://www.veracode.com/
  categories:
  - proprietary
  - analysis
- name: Tidelift
  publisher: Tidelift
  description: Tidelift is a managed open source subscription, offering commercial
    support and maintenance for the open source dependencies used to build applications,
    backed by maintainers.
  websiteUrl: https://tidelift.com/
  categories:
  - proprietary
- name: Bytesafe
  publisher: Bytesafe
  description: A Dependency Firewall that protects organizations from malicious dependencies.
    Detect and prevent vulnerabilities across the software supply chain. +SCA +CycloneDX
    SBOMs +License compliance +Secure package management
  websiteUrl: https://bytesafe.dev/
  categories:
  - proprietary
  - analysis
- name: KubeClarity
  publisher: Cisco
  description: KubeClarity is a tool for detection and management of Software Bill
    Of Materials (SBOM) and vulnerabilities of container images and filesystems. It
    scans both runtime K8s clusters and CI/CD pipelines for enhanced software supply
    chain security.
  repoUrl: https://github.com/cisco-open/kubei
  websiteUrl: https://github.com/cisco-open/kubei
  categories:
  - opensource
  - analysis
- name: Flawnter
  publisher: CyberTest
  description: Flawnter Static Code Analyzer helps improve the security and quality
    of application code and can generate CycloneDX BOMs during analysis.
  websiteUrl: https://www.flawnter.com/
  categories:
  - proprietary
  - analysis
- name: SonarQube
  publisher: SonarSource
  description: SonarQube allows developers and development teams to write clean code
    and remediate existing code organically, so they can focus on the work they love
    and maximize the value they generate for businesses.
  websiteUrl: https://sonarsource.com/
  categories:
  - opensource
  - proprietary
  - analysis
- name: Black Duck
  publisher: Synopsys
  description: Black Duck software composition analysis (SCA) helps teams manage the
    security, quality, and license compliance risks that come from the use of open
    source and third-party code in applications and containers.
  websiteUrl: https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html
  categories:
  - proprietary
  - analysis
- name: SBOM-Operator
  publisher: Christian Kotzbauer
  description: Catalogue all images of a Kubernetes cluster to multiple targets with
    Syft.
  websiteUrl: https://github.com/ckotzbauer/sbom-operator
  categories:
  - opensource
  - analysis
- name: yasca (Yet Another SCA tool)
  publisher: Javi
  description: Yasca is an opensource SCA tool that leverages Github advisories. The
    tool identifies vulnerabilities in direct and transitive Maven dependencies and
    generates CycloneDX SBOMs.
  repoUrl: https://github.com/javixeneize/yasca
  websiteUrl: https://github.com/javixeneize/yasca
  categories:
  - opensource
  - analysis
- name: Rezilion Dynamic SBOM
  publisher: Rezilion
  description: Continuous inventory of all software components down to the file/class level from development to production across entire tech stack. Dynamically track associated supply chain risks, dependencies, and behaviors and validate exploitability in runtime.
  websiteUrl: https://www.rezilion.com/platform/dynamic-sbom
  categories:
   - proprietary
   - analysis
   - author
   - build-integration
- name: BlackBerry Jarvis
  publisher: BlackBerry
  description: Software composition analysis (SCA) and security testing solution that detects and list open-source software and software licenses within embedded systems and associated cybersecurity vulnerabilities and exposures
  websiteUrl: https://blackberry.qnx.com/en/products/security/blackberry-jarvis
  categories:
    - proprietary
    - analysis
- name: Fortify Software Security Center
  publisher: Micro Focus
  description: Open source plugin for Fortify Software Security Center (SSC) that parses CycloneDX BOMs and integrates vulnerability data within the SSC portal
  repoUrl: https://github.com/fortify-ps/fortify-ssc-parser-cyclonedx
  websiteUrl: https://github.com/fortify-ps/fortify-ssc-parser-cyclonedx
  categories:
    - proprietary
    - opensource
- name: sbom-submission-action
  publisher: TietoEVRY
  description: GitHub Action that submits CycloneDX SBOMs to GitHub's dependency submission API
  repoUrl: https://github.com/evryfs/sbom-dependency-submission-action
  websiteUrl: https://github.com/marketplace/actions/sbom-submission-action
  categories:
    - github-action
    - opensource
- name: Vexy
  publisher: Paul Horton
  description: Generate VEX (Vulnerability Exploitability Exchange) CycloneDX documents
  repoUrl: https://github.com/madpah/vexy
  websiteUrl: https://github.com/madpah/vexy
  categories:
    - opensource
- name: Project Piper
  publisher: SAP
  description: Jenkins shared library for Continuous Delivery pipelines, applicable to projects both for SAP BTP and SAP on-premise platforms. Project Piper can generates CycloneDX BOMs for multiple ecosystems.
  repoUrl: https://github.com/SAP/jenkins-library
  websiteUrl: https://www.project-piper.io/
  categories:
    - opensource
    - build-integration
- name: action-owasp-dependecy-track-check
  publisher: Quobis
  description: Github action that generates BOMs and uploads them to OWASP Dependency-Track for vulnerability analysis
  repoUrl: https://github.com/Quobis/action-owasp-dependecy-track-check
  websiteUrl: https://github.com/Quobis/action-owasp-dependecy-track-check
  categories:
    - opensource
    - github-action
    - build-integration
- name: LicenseComplianceTool
  publisher: medavis GmbH
  description: A Jenkins plugin to create listings of third-party components and their licenses
  repoUrl: https://github.com/medavis-gmbh/LicenseComplianceTool
  websiteUrl: https://github.com/medavis-gmbh/LicenseComplianceTool
  categories:
    - opensource
    - build-integration
- name: sbom-action
  publisher: Pete Wagner
  description: GitHub action which can diff CycloneDX SBOMs on pull request and on commit
  repoUrl: https://github.com/thepwagner/sbom-action
  websiteUrl: https://github.com/thepwagner/sbom-action
  categories:
    - opensource
    - build-integration
- name: DaggerBoard
  publisher: NewYork-Presbyterian Hospital
  description: DaggerBoard is a vulnerability scanning tool that ingests Software Bill of Material (SBOM) files and outputs results in a human-readable format. This tool evaluates software dependencies outlined within the SBOM file for package vulnerabilities.
  repoUrl: https://github.com/nyph-infosec/daggerboard
  websiteUrl: https://github.com/nyph-infosec/daggerboard
  categories:
    - opensource
    - analysis
- name: gobom
  publisher: Mattermost
  description: An extensible CycloneDX BOM generator and Dependency-Track API client written in Go
  repoUrl: https://github.com/mattermost/gobom
  websiteUrl: https://github.com/mattermost/gobom
  categories:
    - opensource
    - build-integration
- name: sca-codeinsight-reports-cyclonedx
  publisher: Flexera
  description: Report generation tools for Flexera Code Insight. The report allows generates CycloneDX software bill of materials (SBOM) for a given project
  repoUrl: https://github.com/flexera-public/sca-codeinsight-reports-cyclonedx
  websiteUrl: https://github.com/flexera-public/sca-codeinsight-reports-cyclonedx
  categories:
    - opensource
- name: meta-dependencytrack
  publisher: BG Networks
  description: meta-dependencytrack is a Yocto meta-layer which produces a CycloneDX Software Bill of Materials (aka SBOM) from your root filesystem and then uploads it to a Dependency-Track server against the project of your choice
  repoUrl: https://github.com/bgnetworks/meta-dependencytrack
  websiteUrl: https://github.com/bgnetworks/meta-dependencytrack
  categories:
    - opensource
- name: Mend SCA
  publisher: Mend (Whitesource)
  description: Mend allows organizations to gain full visibility and control over their open source usage. Mend SCA exports direct and transitive dependencies in CycloneDX format.
  websiteUrl: https://www.mend.io/
  categories:
    - proprietary
- name: Prisma Cloud
  publisher: Palo Alto Networks
  description: Prisma® Cloud secures infrastructure, applications, data and entitlements across the world’s largest clouds, all from a single unified solution.
  websiteUrl: https://paloaltonetworks.com
  categories:
    - proprietary
- name: CAST Highlight
  publisher: CAST
  description: CAST Highlight automatically analyzes source code of hundreds of applications in a week for Software Composition Analysis (Open Source risks), Cloud Readiness, Resiliency, and Technical Debt.
  websiteUrl: https://www.castsoftware.com/products/highlight
  categories:
    - proprietary
    - build-integration
    - analysis
    - github-action
- name: CAST SBOM Manager
  publisher: CAST
  description: CAST SBOM Manager is a free software that enables users to automatically create, customize, and maintain Software Bill of Materials (SBOMs) with the ultimate level of control and flexibility.
  websiteUrl: https://www.castsoftware.com/sbommanager
  categories:
    - proprietary
    - analysis
    - author
    - distribute
    - transform
- name: Kondukto
  publisher: Kondukto
  description: Kondukto is an Application Security Orchestration and Correlation tool to manage vulnerability scanning tools and remediation workflows to increase AppSec Team efficiency. It can consume and analyzes CycloneDX SBOMs via CI/CD integration or manual.
  websiteUrl: https://kondukto.io
  categories:
    - proprietary
- name: Enso
  publisher: Enso Security
  description: Enso is an Application Security Posture Management (ASPM) platform that automates the identification of software assets as well as the tracking and scheduling of all application security tools and processes.
  websiteUrl: https://www.enso.security
  categories:
    - proprietary
- name: Tally
  publisher: Jetstack
  description: Finds OpenSSF Scorecard scores for packages in a CycloneDX Software Bill of Materials
  repoUrl: https://github.com/jetstack/tally
  websiteUrl: https://github.com/jetstack/tally
  categories:
    - opensource
- name: SecureStack
  publisher: SecureStack
  description: SecureStack analyzes your application and finds all source code, cloud stack and third-party services and builds a CycloneDX SBOM every time you deploy
  websiteUrl: https://securestack.com/
  categories:
    - proprietary
    - build-integration
- name: SBOM Insights
  publisher: Revenera
  description: SBOM Insights is a SaaS solution that helps organizations manage their Software Bill of Materials (SBOM)
  websiteUrl: https://www.revenera.com/software-composition-analysis/products/sbom-insights
  categories:
    - proprietary
- name: EMBA
  publisher: EMBA Project
  description: EMBA is a security analyzer for firmware and embedded devices supporting firmware extraction, static analysis, dynamic analysis, and CycloneDX SBOM production
  repoUrl: https://github.com/e-m-b-a/emba
  websiteUrl: https://www.securefirmware.de
  categories:
    - opensource
    - analysis
- name: secure.software
  publisher: ReversingLabs
  description: Software supply chain security protection for CI/CD workflows, containers, and release packages that enables DevSecOps teams to release software with confidence.
  websiteUrl: https://www.reversinglabs.com/products/software-supply-chain-security
  categories:
    - proprietary
    - build-integration
- name: Arsenal
  publisher: Deepbits
  description: A free online toolset for software supply chain analysis, including AI-powered SBOM/SaaSBOM building and risk analysis services for COTS software, open-source software artifacts, public code repositories, and public docker images.
  websiteUrl: https://tools.deepbits.com/
  categories:
    - analysis
    - proprietary
- name: Fortify on Demand
  publisher: Micro Focus
  description: AppSec platform, powered by expert research teams and machine learning/AI, aimed at protecting the integrity of your software supply chain by producing and consuming CycloneDX SBOMs for a wide range of languages and package managers.
  websiteUrl: https://www.microfocus.com/en-us/cyberres/application-security/fortify-on-demand
  categories:
    - proprietary
    - analysis
    - build-integration
- name: SBOMDiff
  publisher: Anthony Harrison
  description: A command line tool which compares two SBOMs and reports any differences. Differences in licence inforamtion, version information and the additon or removal of a package are identified. Both CycloneDX and SPDX SBOMs are supported.
  repoUrl: https://github.com/anthonyharrison/sbomdiff
  websiteUrl: https://pypi.org/project/sbomdiff/
  categories:
    - opensource
    - analysis
- name: SBOM4Python
  publisher: Anthony Harrison
  description: A command line tool which creates CycloneDX and SPDX SBOMs an installed Python module.
  repoUrl: https://github.com/anthonyharrison/sbom4python
  websiteUrl: https://pypi.org/project/sbom4python/
  categories:
  - opensource
  - build-integration
- name: SBOM4Files
  publisher: Anthony Harrison
  description: A command line tool which creates CycloneDX and SPDX SBOMs for files within a directory.
  repoUrl: https://github.com/anthonyharrison/sbom4files
  websiteUrl: https://pypi.org/project/sbom4files/
  categories:
  - opensource
  - build-integration
- name: SBOM4Rust
  publisher: Anthony Harrison
  description: A command line tool which creates CycloneDX and SPDX SBOMs for a Rust application.
  repoUrl: https://github.com/anthonyharrison/sbom4rust
  websiteUrl: https://pypi.org/project/sbom4rust/
  categories:
  - opensource
  - build-integration
- name: Distro2SBOM
  publisher: Anthony Harrison
  description: A command line tool which creates CycloneDX and SPDX SBOMs for an installed application or distribution (Debian and RPM type distributions supported).
  repoUrl: https://github.com/anthonyharrison/distro2sbom
  websiteUrl: https://pypi.org/project/distro2sbom/
  categories:
  - opensource
  - build-integration
- name: SBOM-Manager
  publisher: Anthony Harrison
  description: A command line tool which provides a simple repository server used to manage and query CycloneDX and SPDX SBOMs.
  repoUrl: https://github.com/anthonyharrison/sbom-manager
  websiteUrl: https://pypi.org/project/sbom-manager/
  categories:
  - opensource
  - distribute
- name: SBOMAudit
  publisher: Anthony Harrison
  description: A command line tool which audits an SBOM to evaluate the content against specific criteria including evaluating licence information, whether the latest version of a module is being used and conformance against the NTIA minimum SBOM contents.
  repoUrl: https://github.com/anthonyharrison/sbomaudit
  websiteUrl: https://pypi.org/project/sbomaudit/
  categories:
  - opensource
  - analysis
- name: SBOM2doc
  publisher: Anthony Harrison
  description: A command line tool which produces a human-readable representaion of either a CycloneDX or SPDX SBOM. Output formats include PDF and Markdown.
  repoUrl: https://github.com/anthonyharrison/sbom2doc
  websiteUrl: https://pypi.org/project/sbom2doc/
  categories:
  - opensource
  - analysis
- name: SBOM2dot
  publisher: Anthony Harrison
  description: A command line tool which produces a visual representaion of the relationships within either a CycloneDX or SPDX SBOM.
  repoUrl: https://github.com/anthonyharrison/sbom2dot
  websiteUrl: https://pypi.org/project/sbom2dot/
  categories:
  - opensource
  - analysis
- name: SBOMMerge
  publisher: Anthony Harrison
  description: A command line tool which merges two SBOMs together which can be in either CycloneDX or SPDX formats.
  repoUrl: https://github.com/anthonyharrison/sbommerge
  websiteUrl: https://pypi.org/project/sbommerge/
  categories:
  - opensource
  - analysis
  - transform
- name: Lib4sbom
  publisher: Anthony Harrison
  description: A Python library to consume and generate SBOMs in either CycloneDX or SPDX formats.
  repoUrl: https://github.com/anthonyharrison/lib4sbom
  websiteUrl: https://pypi.org/project/lib4sbom/
  categories:
  - opensource
  - library
- name: bomber
  publisher: DevOps Kung Fu Mafia
  description: Scans SBOMs (CycloneDX, SPDX, or Syft-formatted) for security vulnerabilities, using OSV or Sonatype OSS Index for analysis.
  repoUrl: https://github.com/devops-kung-fu/bomber
  websiteUrl: https://github.com/devops-kung-fu/bomber
  categories:
    - opensource
    - analysis
- name: Covenant
  publisher: Patrik Svensson
  description: A tool to generate SBOMs in CycloneDX or SPDX formats from source code artifacts (.NET 5/.NET 6, .NET Core, or NPM).
  repoUrl: https://github.com/patriksvensson/covenant
  websiteUrl: https://github.com/patriksvensson/covenant
  categories:
    - opensource
    - transform
- name: ONEKEY firmware analysis platform
  publisher: ONEKEY
  description: Automatic firmware analysis platform exracting, enumerating and checking binary images to create SBOM & vulnerability reports.
  websiteUrl: https://onekey.com/
  categories:
    - proprietary
    - analysis
- name: Vuls
  publisher: Future Corp
  description: Agent-less vulnerability scanner for Linux, FreeBSD, containers, WordPress, programming language libraries and network devices which outputs CycloneDX Vulnerability Disclosure Reports (VDR)
  repoUrl: https://github.com/future-architect/vuls
  websiteUrl: https://vuls.io/
  categories:
    - opensource
    - analysis
- name: StackAware
  publisher: StackAware
  description: StackAware helps organizations communicate about supply chain cybersecurity risk. A SaaS platform, it allows for the management and analysis of SBOMs as well as structured communications about the exploitability of vulnerabilities identified in them.
  websiteUrl: https://stackaware.com/
  categories:
    - proprietary
    - analysis
    - distribute
- name: Manifest
  publisher: Manifest
  description: Manifest provides an end-to-end SBOM management tool that lets organizations easily (and automatically) generate, aggregate, enrich, analyze, and securely share SBOMs.
  websiteUrl: https://manifestcyber.com/
  categories:
    - proprietary
    - analysis
    - github-action
- name: Valint
  publisher: Scribe Security
  description: Scribe helps you build trust in the software you produce or use, across teams and organizations. You can generate, manage and share SBOMs, validate integrity, and track vulnerabilities of your containers, source repositories, dependencies, and pipelines.
  websiteUrl: https://scribesecurity.com/scribe-platform-lp
  categories:
  - build-integration
  - analysis
  - signing-notary
  - proprietary
- name: Debricked
  publisher: OpenText
  description: Debricked allows you to manage your open source in an easy, smart and efficient manner. Automatically find, fix and prevent vulnerabilities, avoid non compliant licenses and choose better open source from the start - all in one tool.
  websiteUrl: https://debricked.com/
  categories:
    - analysis
    - proprietary
- name: EXPLIoT IoT Security Assessment Framework
  publisher: EXPLIoT
  description: A Framework for security testing and exploiting IoT products and IoT infrastructure. It provides a set of plugins (test cases) which are used to perform the assessment and can be extended easily with new ones. Documentation - https://expliot.readthedocs.io/en/latest/
  repoUrl: https://gitlab.com/expliot_framework/expliot
  websiteUrl: https://expliot.io/
  categories:
    - opensource
    - analysis
- name: Endor Labs
  publisher: Endor Labs
  description: Endor Labs helps organizations maximize software reuse by enabling security and development teams to select, secure, and maintain OSS at scale. Endor Labs creates CycloneDX SBOMs and automatically generates VEX for software prodcuers.
  websiteUrl: https://endorlabs.com
  categories:
    - proprietary
    - build-integration
- name: Value Stream Management (VSM)
  publisher: LeanIX
  description: LeanIX Value Stream Management (VSM) can consume CycloneDX SBOMs via REST APIs, making data from hundreds of BOMs available in a search- & filterable catalog in relation to Team ownership and Product architecture
  websiteUrl: https://www.leanix.net/en/products/value-stream-management
  categories:
    - proprietary
    - build-integration
- name: RapidFort
  publisher: RapidFort
  description: RapidFort container optimization platform finds and eliminates unused container components and hardens containers so you spend less time on vulnerability remediation. RapidFort supports CycloneDX BOMs and VEX
  websiteUrl: https://www.rapidfort.com/
  categories:
    - proprietary
    - build-integration
- name: FOSSA
  publisher: FOSSA
  description: Software Composition Analysis (SCA) platform that can ingest, analyze, and generate CycloneDX SBOMs
  websiteUrl: https://fossa.com
  categories:
     - proprietary
     - analysis
- name: SBOM Quality Score
  publisher: Interlynk.io
  description: sbomqs cmdline tool, helps producers & consumers of sboms to quickly evaluate the quality of their sboms based on various categories. Tool can be integrated in your automation pipeline, to evaluate a minimum level of SBOM quality that is expected.
  repoUrl: https://github.com/interlynk-io/sbomqs
  websiteUrl: https://www.interlynk.io/
  categories:
    - opensource
    - analysis
- name: SBOM Grep
  publisher: Interlynk.io
  description: sbomgr is a grep like command line utility to help search the SBOM repository based on criteria like the name, checksum, CPE, and PURL.
  repoUrl: https://github.com/interlynk-io/sbomgr
  websiteUrl: https://www.interlynk.io/
  categories:
    - opensource
    - analysis
    - build-integration
- name: SBOM Explorer
  publisher: Interlynk.io
  description: sbomex is a command line utility to help query and pull from Interlynk's public SBOM repository.
  repoUrl: https://github.com/interlynk-io/sbomex
  websiteUrl: https://www.interlynk.io/
  categories:
    - opensource
    - analysis
- name: SBOM Benchmark
  publisher: Interlynk.io
  description: Quickly evaluate SBOM for quality, compliance and errors
  websiteUrl: https://sbombenchmark.dev/
  categories:
     - proprietary
     - analysis
- name: Amazon Inspector SBOM Generator
  publisher: Amazon Inspector
  description:  Amazon Inspector SBOM Generator (inspector-sbomgen) produces SBOMs for various artifacts using multiple collectors, providing an inventory of packages and metadata for vulnerability scanning using Amazon Inspector ScanSBOM API (AWS account required).
  websiteUrl: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html
  categories:
     - proprietary
     - analysis
     - build-integration
- name: Xygeni Software Supply-Chain Security
  publisher: Xygeni
  description: Xygeni is a software supply chain security solution that provides visibility, security and integrity in DevOps environments, reducing the risk of breaches and detecting potential attacks, ensuring security in your software releases.
  websiteUrl: https://xygeni.io/
  categories:
  - proprietary
  - analysis
  - build-integration
- name: SBOM Utility (sbom-utility)
  publisher: CycloneDX
  description: Utility that provides an API platform for validating, querying and managing BOM data
  repoUrl: https://github.com/cyclonedx/sbom-utility
  websiteUrl: https://github.com/cyclonedx/sbom-utility
  categories:
    - opensource
    - build-integration
    - analysis
- name: License Scanner
  publisher: CycloneDX
  description: Utility that provides an API and CLI to identify licenses and legal terms outputting CycloneDX with relevant information
  repoUrl: https://github.com/CycloneDX/license-scanner
  websiteUrl: https://github.com/CycloneDX/license-scanner
  categories:
    - opensource
    - build-integration
- name: gh-sbom
  publisher: GitHub
  description: Command Line Interface (CLI) extension to 'gh' that outputs CycloneDX JSON SBOMs from GitHub repositories using information from the Dependency graph
  repoUrl: https://github.com/advanced-security/gh-sbom
  websiteUrl: https://github.com/advanced-security/gh-sbom
  categories:
    - opensource
    - build-integration
- name: SecObserve
  publisher: MaibornWolff
  description: SecObserve gathers results about potential security flaws from various vulnerability scanning tools and makes them available for assessment and reporting.
  repoUrl: https://github.com/MaibornWolff/SecObserve
  websiteUrl: https://maibornwolff.github.io/SecObserve
  categories:
    - opensource
    - analysis
- name: Abom
  publisher: Vulert.com
  description: Vulert's Abom scanner can monitor and alert you in real-time for open-source vulnerabilities in your software, without requiring access to your code or installation. It uses only an SBOM or manifest file, such as a package-lock.json file. No signup is required.
  websiteUrl: https://vulert.com/abom
  categories:
  - proprietary
  - analysis
  - build-integration
- name: Vigiles
  publisher: Timesys
  description: Vulnerability monitoring and remediation tool that combines a curated CVE database, continuous security feeds, powerful filtering, and easy triage tools. Supports Yocto, Buildroot, PetaLinux, Wind River Linux, PTXdist, OpenWrt, and Timesys Factory.
  websiteUrl: https://www.timesys.com/solutions/vigiles-vulnerability-management/
  categories:
    - proprietary
    - analysis
    - build-integration
- name: Arnica
  publisher: Arnica
  description: Arnica puts your software supply chain security on autopilot. Arnica provides SBOM as part of its free (forever) offering in alignment with the CycloneDX standard.
  websiteUrl: https://www.arnica.io/
  categories:
    - proprietary
    - analysis
    - build-integration
- name: Technolinator
  publisher: MediaMarktSaturn Technology
  description: GitHub app for SBOM creation, vulnerability analysis and inventory taking using cdxgen, grype and Dependency-Track.
  websiteUrl: https://github.com/MediaMarktSaturn/technolinator
  categories:
    - opensource
    - github-app
- name: FACT
  publisher: aDolus Technology Inc.
  description: The aDolus FACT platform is the first advanced aggregation, analytics, and correlation engine that provides continuous cybersecurity risk intelligence to secure the software supply chain. FACT generates NTIA-compliant SBOMs including CycloneDX.
  websiteUrl: https://adolus.com
  categories:
  - proprietary
  - analysis
- name: Parlay
  publisher: Snyk
  description: A tool for enriching CycloneDX SBOMs with additional data such as vulnerability information, licences, external links, the maintainer, etc.
  repoUrl: https://github.com/snyk/parlay
  websiteUrl: https://github.com/snyk/parlay
  categories:
  - opensource
  - transform
- name: Beniva Software Bill of Materials (SBOM)
  publisher: Beniva
  description: Beniva SBOM allows you to consume CycloneDX SBOM and Vulnerability Exploitability eXchange (VEX) within the ServiceNow platform which increases visibility of vulnerabilities and reduces time to remediate.
  repoUrl:
  websiteUrl: https://store.servicenow.com/sn_appstore_store.do#!/store/application/1f62663a1ba19dd06921a821604bcb98
  categories:
    - proprietary
    - analysis
- name: bombon
  publisher: nikstur
  description: Automagically build CycloneDX Software Bills of Materials (SBOMs) for Nix packages
  repoUrl: https://github.com/nikstur/bombon
  websiteUrl: https://github.com/nikstur/bombon
  categories:
    - opensource
    - build-integration
- name: Continuous Clearing
  publisher: Siemens
  description: The Continuous Clearing Tool scans and collects the 3rd party OSS components used in a NPM/NuGet/Debian/Maven project along with CycloneDX SBOMs and uploads it to SW360 and Fossology by accepting respective project ID for license clearing.
  repoUrl: https://github.com/siemens/continuous-clearing
  websiteUrl: https://github.com/siemens/continuous-clearing
  categories:
    - opensource
    - analysis
- name: CaPyCli - Clearing Automation for SW360
  publisher: Siemens
  description: Python CLI tool for generating, comparing, and merging SBOMs for several programming language ecosystems, as well as mapping, importing, and exporting them against a SW360 component database.
  repoUrl: https://github.com/sw360/capycli
  websiteUrl: https://github.com/sw360/capycli
  categories:
    - opensource
    - analysis
    - build-integration
- name: cyclonedx-editor-validator
  publisher: Festo SE & Co. KG
  description: Tool for creating, modifying and validating CycloneDX SBOMs.
  repoUrl: https://github.com/Festo-se/cyclonedx-editor-validator
  websiteUrl: https://github.com/Festo-se/cyclonedx-editor-validator
  categories:
    - opensource
- name: vsm-sbom-booster
  publisher: LeanIX
  description: A central CycloneDX SBOM generation tool that can accelerate your VSM onboarding
  repoUrl: https://github.com/leanix/vsm-sbom-booster
  websiteUrl: https://github.com/leanix/vsm-sbom-booster
  categories:
    - opensource
    - build-integration
- name: asdf-cyclonedx
  publisher: Xeed.IO, LLC
  description: cyclonedx plugin for the asdf version manager.
  repoUrl: https://github.com/xeedio/asdf-cyclonedx
  websiteUrl: https://github.com/xeedio/asdf-cyclonedx
  categories:
    - opensource
    - build-integration
- name: cdx-central
  publisher: nscuro
  description: CLI utility to download public CycloneDX SBOMs from Maven Central
  repoUrl: https://github.com/nscuro/cdx-central
  websiteUrl: https://github.com/nscuro/cdx-central
  categories:
    - opensource
    - distribute
- name: cdx-vs-cdx
  publisher: marcosanchotene
  description: GUI tool to compare two SBOMs in CycloneDX JSON format.
  repoUrl: https://github.com/marcosanchotene/cdx-vs-cdx
  websiteUrl: https://github.com/marcosanchotene/cdx-vs-cdx
  categories:
    - opensource
    - analysis
- name: cyclonedx-npm-pipe
  publisher: ShiftLeftCyber
  description: A Bitbucket Pipe which generates a CycloneDX compliant sBOM for a node/npm project
  repoUrl: https://github.com/shiftleftcyber/cyclonedx-npm-pipe
  websiteUrl: https://shiftleftcyber.io
  categories:
    - opensource
    - build-integration
- name: macaron
  publisher: Oracle
  description: A supply chain security analysis tool and policy engine that checks conformance to
    frameworks, such as SLSA. It integrates CycloneDX SBOM generator tools or takes an existing
    CycloneDX SBOM as input if available.
  repoUrl: https://github.com/oracle/macaron
  websiteUrl: https://oracle.github.io/macaron/
  categories:
    - opensource
    - analysis
- name: kbom - Kubernetes Bill of Materials powered by KSOC
  publisher: KSOC
  description: KSOC's open source CLI tool generates a Kubernetes Bill of Materials; basically an SBOM, but for a K8s cluster. Details of the cluster include size, capacity, cloud info, control plane, nodes, OS and more. KBOM supports CycloneDX as a output format.
  repoUrl: https://github.com/ksoclabs/kbom
  websiteUrl: https://github.com/ksoclabs/kbom
  categories:
  - opensource
  - analysis
- name: SBOM Scorecard
  publisher: eBay
  description: A tool that aims to quantify what a well-generated SBOM looks like, generating a score based on specification compliance of the SBOM, generation metadata, and direct dependencies. Support CycloneDX, SPDX, and Syft.
  repoUrl: https://github.com/eBay/sbom-scorecard
  websiteUrl: https://github.com/eBay/sbom-scorecard
  categories:
  - opensource
  - analysis
- name: SBOM Observer
  publisher: Bytesafe
  description: SBOM Observer provides a comprehensive SBOM workflow to help you manage your software supply chain. Leverage the powerful combination of the Policy Engine and Operational Model to guarantee the security and compliance of your software.
  websiteUrl: https://sbom.observer/
  categories:
  - proprietary
  - analysis
  - build-integration
  - author
  - distribute
- name: SBOM Assembler
  publisher: Interlynk.io
  description: sbomasm is a command line utility tool to assemble product SBOM from component SBOMs for easier management and distribution.
  repoUrl: https://github.com/interlynk-io/sbomasm
  websiteUrl: https://www.interlynk.io/
  categories:
    - opensource
    - transform
    - build-integration
- name: Neo4Cyclone
  publisher: Javier Dominguez
  description: Neo4Cyclone is a tool that allows you to visualise your SBOMs using Neo4J.
  repoUrl: https://github.com/javixeneize/neo4cyclone
  websiteUrl: https://github.com/javixeneize/neo4cyclone
  categories:
    - opensource
    - analysis
- name: SBOMcenter
  publisher: Codenotary Inc
  description: SBOMcenter.io is a free service to get insights into the ingredients of your software for free and without any software.
  websiteUrl: https://sbomcenter.io
  categories:
    - distribute
    - analysis
- name: SBOM.sh
  publisher: Codenotary Inc
  description: SBOM.sh is a free service to store, visualize and globally share CycloneDX SBOM files by simply using HTTP requests or curl.
  websiteUrl: https://sbom.sh
  categories:
    - distribute
    - build-integration
- name: Vulnerabilities.io
  publisher: Vulnerabilities Input Output Limited
  description: Generates CycloneDX Software Bill of Materials (SBOM) and visualisations for an entire organizations codebase through integrations with source control systems. Enables organizations to manage overall supply chain risk.
  websiteUrl: https://vulnerabilities.io
  categories:
  - distribute
  - build-integration
  - proprietary
  - github-app
  - analysis
  - author
- name: Athena
  publisher: Medical Aegis Inc
  description: Athena is a SaaS solution for medical device makers that overlays the product development lifecycle to address risks before devices go to market.
  websiteUrl: https://medicalaegis.com
  categories:
    - proprietary
    - analysis
- name: Semgrep
  publisher: Semgrep Inc
  description: Semgrep is an application security platform where developers can scan for vulnerabilities in code (SAST), in OSS dependencies (SCA), and secrets. Semgrep creates CycloneDX SBOMs that enrich vulnerabilities with reachability analysis.
  websiteUrl: https://semgrep.dev
  categories:
    - opensource
    - proprietary
    - analysis
    - build-integration
- name: sbom-swissarmy-bitbucket-pipe
  publisher: ShiftLeftCyber
  description: A Bitbucket Pipe containing a collection of open source tools to perform additionl analysis on a CycloneDX or SPDX sBOM.
  repoUrl: https://github.com/shiftleftcyber/sbom-utilities-pipe
  websiteUrl: https://shiftleftcyber.io
  categories:
    - opensource
    - build-integration
    - analysis
- name: cyclonedx-merge
  publisher: fnxpt
  description: Tool to merge cyclonedx files (json/xml)
  repoUrl: https://github.com/fnxpt/cyclonedx-merge
  websiteUrl: https://github.com/fnxpt/cyclonedx-merge
  categories:
    - opensource
    - transform
- name: cyclonedx-enrich
  publisher: fnxpt
  description: Enrich cyclonedx files with a pattern
  repoUrl: https://github.com/fnxpt/cyclonedx-enrich
  websiteUrl: https://github.com/fnxpt/cyclonedx-enrich
  categories:
    - opensource
    - transform
- name: sbom-rs
  publisher: Paul Sastrasinh
  description: A group of Rust projects for interacting with and producing software bill of materials (SBOMs).
  repoUrl: https://github.com/psastras/sbom-rs
  websiteUrl: https://github.com/psastras/sbom-rs
  categories:
  - opensource
  - build-integration
  - github-action
- name: MLBOMdoc
  publisher: Anthony Harrison
  description: A command line tool which produces a human-readable representation of a CycloneDX ML Bill of Materials (MLBOM). Output formats include PDF and Markdown.
  repoUrl: https://github.com/anthonyharrison/mlbomdoc
  websiteUrl: https://pypi.org/project/mlbomdoc/
  categories:
  - opensource
  - analysis
- name: SBOMTrend
  publisher: Anthony Harrison
  description: A command line tool which analyses a set of SBOMs to identify license and version changes in components.
  repoUrl: https://github.com/anthonyharrison/sbomtrend
  websiteUrl: https://pypi.org/project/sbomtrend/
  categories:
  - opensource
  - analysis
- name: Oligo Runtime SBOM
  publisher: Oligo
  description: Oligo Security delivers instant insights into actively executed libraries, assessing open source risks and confirming exploitability. It enables CycloneDX SBOM creation and auto-generates VEX.
  websiteUrl: https://www.oligo.security/
  categories:
  - proprietary
  - analysis
- name: bogrod
  publisher: productaize
  description: A command line tool to manage SBOM and VEX like source code and to distribute SBOMs to notaries.
  repoUrl: https://github.com/productaize/bogrod
  websiteUrl: https://pypi.org/project/bogrod/
  categories:
  - opensource
  - analysis
  - distribute
- name: SUM Platform
  publisher: Security Pattern
  description: SBOM management and vulnerability monitoring platform for IoT and embedded systems. Show compliance to regulations and standards and manage risk across the entire product lifecycle.
  websiteUrl: https://www.securitypattern.com/sumplatform
  categories:
  - proprietary
  - analysis
  - build-integration
- name: SBOM Vendor Management
  publisher: SettleTop, Inc.
  description: Manage, assess, store and monitor all your vendor’s SBOMs in one secure, centralized dashboard to improve supply chain security.
  websiteUrl: https://www.settletop.com/sbom
  categories:
  - proprietary
  - analysis
- name: Rollup Plugin SBOM
  publisher: Jan Biasi
  description: Creates CycloneDX SBOMs for frontend Javascript applications that have  been bundled with rollup or vite.
  repoUrl: https://github.com/janbiasi/rollup-plugin-sbom
  websiteUrl: https://github.com/janbiasi/rollup-plugin-sbom
  categories:
  - opensource
  - build-integration
- name: Product Security Hub (PSH)
  publisher: Product Security Hub, LLC
  description: Product Security Hub (PSH) is a cloud-based tool that provides capabilities to import, export, view, create, edit, and transform CycloneDX SBOMs and human-readable SBOMs, as well as view, add, and edit vulnerabilities as VEX data within CycloneDX SBOMs.
  websiteUrl: https://www.ProductSecurityHub.com/
  categories:
  - proprietary
  - analysis
  - transform
  - author
- name: Surfactant
  publisher: LLNL
  description: A modular framework for extracting file information and relationships for filesystems, with an SBOM as the primary output. Also supports limited SBOM merging, editing, and conversion between formats. Several of the supported file types include PE (both native and .NET), ELF, and MSI files.
  repoUrl: https://github.com/LLNL/Surfactant
  websiteUrl: https://github.com/LLNL/Surfactant
  categories:
  - opensource
  - transform
  - library
- name: Chainloop
  publisher: Chainloop
  description: Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, QA reports, and more.
    Leverage third party integrations such as Dependency-Track for SBOM analysis or a blob storage/OCI registry.
  repoUrl: https://github.com/chainloop-dev/chainloop
  websiteUrl: https://github.com/chainloop-dev/chainloop
  categories:
  - opensource
  - signing-notary
  - build-integration
- name: Threatrix
  publisher: Threatrix
  description: Threatrix CodeCertify platform provides a solution for producing a comprehensive and accurate, singular, CycloneDX bill of materials from multiple sources. Projects may be created with a combination of CycloneDX, SPDX, compressed source, COTS distributions and connections to your source control system. Policies can be created from these artifacts and enforced in your developers IDE or during PR builds.
  websiteUrl: https://threatrix.io
  categories:
  - proprietary
  - analysis
  - transform
  - author
  - build-integration
  - distribute
  - github-app
  - github-action
- name: cyclonedx_deps_to_mermaid.xsl
  publisher: Jan Kowalleck
  description: Extensible Stylesheet Language Transformations (XSLT) to translate CycloneDX dependency graph to mermaid chart.
  websiteUrl: https://gist.github.com/jkowalleck/a0f874ee0a8af9a56a0e887631fc53d1
  repoUrl: https://gist.github.com/jkowalleck/a0f874ee0a8af9a56a0e887631fc53d1
  categories:
  - transform
  - opensource
- name: cdx-enrich
  publisher: Michael Tsfoni
  description: Enriches a CycloneDX Software Bills of Material (SBOM) with predefined data.
  websiteUrl: https://github.com/mtsfoni/cdx-enrich
  repoUrl: https://github.com/mtsfoni/cdx-enrich
  categories:
  - build-integration
  - opensource
- name: Meta Package Manager
  publisher: Kevin Deldycke
  description: Export a SBOM of all packages installed on a Linux, macOS or Windows system.
  websiteUrl: https://github.com/kdeldycke/meta-package-manager
  repoUrl: https://github.com/kdeldycke/meta-package-manager
  categories:
  - build-integration
  - opensource
- name: BOMSkope
  publisher: Netskope
  description: BOMSkope is a web-based Software Bill of Materials manager designed to streamline the tracking of vendor components. It enables the identification and monitoring of potential vulnerabilities in vendor software, enhancing visibility into your overall security posture.
  websiteUrl: https://github.com/netskopeoss/BOMSkope
  repoUrl: https://github.com/netskopeoss/BOMSkope
  categories:
  - analysis
  - opensource
- name: CVE Scan
  publisher: The Embedded Kit
  description: CVE Scan helps detect and mitigate security vulnerabilities in embedded systems. With accurate SBOM generation, cross-referencing with public databases, CI integration, filtering, annotations, and a web interface, it streamlines security maintenance.
  websiteUrl: https://theembeddedkit.io/cve-scan-linux-vulnerability-scanner/
  categories:
  - proprietary
  - analysis
- name: nim_lk
  publisher: Emery Hemingway
  description: Create and update SBOMs for the Nim programing language. Includes a translation module for the Nimble package manager as well as a Nix expression for building packages from SBOMs.
  websiteUrl: https://git.sr.ht/~ehmry/nim_lk
  repoUrl: https://git.sr.ht/~ehmry/nim_lk
  categories:
  - author
  - build-integration
  - opensource
- name: Bitbucket Pipe for SBOM Generation
  publisher: ShiftLeftCyber
  description: Integrate this Bitbucket Pipe into your CI/CD pipeline to automatically generate a Software Bill of Materials (SBOM) for any project.
  repoUrl: https://github.com/shiftleftcyber/syft-bitbucket-pipe
  websiteUrl: https://shiftleftcyber.io
  categories:
    - opensource
    - build-integration
- name: Sonar Cryptography Plugin
  publisher: IBM
  description: A SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.
  websiteUrl: https://github.com/IBM/sonar-cryptography
  repoUrl: https://github.com/IBM/sonar-cryptography
  categories:
  - analysis
  - opensource
- name: CBOM Viewer
  publisher: IBM
  description: A Web Service to visualize and explore the use of cryptography in software with Cryptography Bills of Materials (CBOM).
  websiteUrl: https://www.zurich.ibm.com/cbom/
  categories:
  - analysis
  - proprietary
- name: CBOMkit
  publisher: IBM
  description: CBOMkit is a toolset for generating, viewing, checking and storing Cryptography Bills of Materials (CBOM).
  websiteUrl: https://github.com/IBM/cbomkit
  repoUrl: https://github.com/IBM/cbomkit
  categories:
  - opensource
- name: CBOMkit-theia
  publisher: IBM
  description: A tool that detects cryptographic assets in container images as well as directories and generates Cryptography Bills of Materials (CBOM).
  websiteUrl: https://github.com/IBM/cbomkit-theia
  repoUrl: https://github.com/IBM/cbomkit-theia
  categories:
  - opensource
- name: Cyberwatch
  publisher: Cyberwatch
  description: Cyberwatch Vulnerability Manager is a comprehensive vulnerability management solution. It allows you to discover your assets, scan and prioritize vulnerabilities, make the right decisions and fix vulnerabilities.
  websiteUrl: https://cyberwatch.fr/en/
  categories:
  - proprietary
  - analysis
- name: sbomify
  publisher: sbomify
  description: sbomify is a comprehensive SBOM management platform that enables secure sharing and analysis of Software Bill of Materials. Seamlessly integrates with CI/CD pipelines and analysis tools for enhanced software supply chain visibility.
  websiteUrl: https://sbomify.com
  categories:
  - analysis
  - proprietary
  - github-action
  - build-integration
  - distribute
  - transform
- name: Sunshine
  publisher: CycloneDX
  description: Sunshine is an open-source SBOM visualization tool.
  websiteUrl: https://cyclonedx.github.io/Sunshine/
  repoUrl: https://github.com/CycloneDX/Sunshine/
  categories:
  - opensource
  - analysis
- name: SOOS
  publisher: SOOS
  description: Automate your software inventory. SOOS creates, ingests, and manages your Software Bill of Materials and uses patented SCA and the largest open-source SBOM database to find hidden vulnerabilities, license issues, and dependencies sooner.
  websiteUrl: https://soos.io
  categories:
  - analysis
  - proprietary
  - github-action
  - github-app
  - build-integration
  - distribute
  - transform
  - author
- name: Noma
  publisher: Noma Security
  description: Noma provides an AI Application Security Platform for the entire AI lifecycle, focusing on automatic AI asset discovery and ML-BOM, AI supply chain risk management, and AI runtime protection, enabling trustworthy and secure AI adoption.
  websiteUrl: https://noma.security
  categories:
  - analysis
  - proprietary

# `description` will be truncated at 250 characters
# `categories` values MUST be the keys from `tool-categories.yml` file