Generate SPDX SBOMs from GoMod, npm, PyPI, Maven, Cargo, and more. Note: this project was archived January 2025 — Trivy or Syft are recommended for new projects.

Go, Node.js, Python, Java, Rust, PHP, Ruby, Swift, .NETCLI toolSPDX

Install & scan

$ # Binary download (macOS/Linux/Windows) — last release v0.0.15
# https://github.com/opensbom-generator/spdx-sbom-generator/releases

# macOS Homebrew
brew install spdx-sbom-generator
$ # Generate SPDX SBOM for the current project
spdx-sbom-generator -p . -o ./sbom/

# JSON format and SPDX 2.3
spdx-sbom-generator -p . -o ./sbom/ -f json -s 2.3

Run SPDX SBOM Generator in CI

Scan on every push and upload the results to Vulnetix:

# Note: using Trivy as the recommended modern alternative
- name: Generate SPDX SBOM
  run: trivy fs . --format spdx-json --output sbom.spdx.json

- name: Upload SBOM to Vulnetix
  run: vulnetix upload --file sbom.spdx.json

Centralise SPDX SBOM Generator results in Vulnetix

Upload SPDX SBOM Generator SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

SPDX SBOM Generator documentation ↗ · Source repository ↗

Wire SPDX SBOM Generator into your CI/CD pipeline →

SPDX SBOM Generator Integration Guide

Install & scan

Run SPDX SBOM Generator in CI

Centralise SPDX SBOM Generator results in Vulnetix