woFFMar 9, 2023
Allan Friedman

This is pretty cool: a brand new free @github tool for creating #SBOM data for your repos. Built on the dependency graph API—supports go, rust, npm, maven, and more. Both CDX and SPDX support!

I’d love to hear your thoughts.

https://github.com/advanced-security/gh-sbom

GitHub - advanced-security/gh-sbom: Generate SBOMs with gh CLI

Generate SBOMs with gh CLI. Contribute to advanced-security/gh-sbom development by creating an account on GitHub.

GitHub
Mar 9, 2023 at 3:04pmWeb
Show threadOriel Jutty Mar 9, 2023
@allanfriedman @github What's a "SBOM"?
Show threadAllan FriedmanMar 9, 2023
@barubary @github been doing this for so long, can’t quite tell if this is a clever troll or a legit request for info. Appreciated either way :)
Show threadOriel Jutty Mar 9, 2023
@allanfriedman @github Request for info. I checked the linked README, but it just says "This is a gh CLI extension that outputs JSON SBOMs" without explaining any of those words.
Show threadAllan FriedmanMar 9, 2023
@barubary @github fair! SBOM = software bill of materials, a mechanism for transparency into the software supply chain and understanding sw risks from dependencies. I’ll share some links shortly.