Integrate DISTRO2SBOM with Vulnetix. Generate SPDX or CycloneDX SBOMs from the installed packages on Linux (RPM/DEB), Windows, or FreeBSD systems. Ideal for OS-level supply chain visibility.

Linux distributions (RPM, DEB), Windows, FreeBSDCLI toolCycloneDXSPDX

Install & scan

$ # Recommended — run without global install
uv run --with distro2sbom distro2sbom --version

# Install globally with pip
pip install distro2sbom
$ # Auto-detect distribution and generate CycloneDX SBOM
uv run --with distro2sbom distro2sbom   --distro auto   --system   --sbom cyclonedx   --format json   -o distro-sbom.cdx.json

# Generate SPDX SBOM
uv run --with distro2sbom distro2sbom   --distro auto   --system   --sbom spdx   --format json   -o distro-sbom.spdx.json

Run DISTRO2SBOM in CI

Scan on every push and upload the results to Vulnetix:

- name: Generate OS package SBOM
  run: |
    pip install distro2sbom
    distro2sbom --distro auto --system --sbom cyclonedx --format json -o distro-sbom.cdx.json

- name: Upload SBOM to Vulnetix
  run: vulnetix upload --file distro-sbom.cdx.json

Centralise DISTRO2SBOM results in Vulnetix

Upload DISTRO2SBOM CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

DISTRO2SBOM documentation ↗ · Source repository ↗

Wire DISTRO2SBOM into your CI/CD pipeline →

DISTRO2SBOM Integration Guide

Install & scan

Run DISTRO2SBOM in CI

Centralise DISTRO2SBOM results in Vulnetix