macOS
brew install bomlocal Homebrew formula metadata
brew
Utility to generate SPDX-compliant Bill of Materials manifests. Version 0.7.1 via Homebrew; verified from local package data.
install
brew install bomlocal Homebrew formula metadata
nix profile install nixpkgs#bomnixpkgs package indexes · pkgs/by-name/bo/bom/package.nix · source: api.github.com
sudo zypper install bomopenSUSE Tumbleweed package metadata · bom · source: download.opensuse.org
scoop install main/bomScoop official bucket manifest trees · bucket/bom.json · source: api.github.com
overview
Utility to generate SPDX-compliant Bill of Materials manifests
history
bom is the Kubernetes SIGs SBOM multitool for creating, viewing, and transforming Software Bills of Materials, especially SPDX documents.
The official README says bom was created as part of the effort to create an SBOM for the Kubernetes project. It later became a general-purpose CLI that can generate SPDX packages from directories, container images, single files, archives, and other sources.
The project is associated with the Linux Foundation's Automating Compliance Tooling Technical Advisory Council, placing it in the supply-chain compliance tooling ecosystem rather than only in Kubernetes internals.
bom's adoption follows the post-SolarWinds supply-chain tooling wave: SBOMs became expected release artifacts, and Kubernetes needed tooling that could fit CI, container images, Go dependency analysis, SPDX output, and in-toto provenance workflows. The input package facts list Homebrew, Nix, Scoop, and zypper packaging.
Common usage is `bom generate` against a directory, file list, archive, or image, then `bom document` to inspect or query the resulting SPDX document. The README also documents license classification, `.gitignore` support, Go dependency analysis, and provenance export.
bom is package-nerd significant because it is tooling about packages themselves: it turns source trees, images, and dependencies into machine-readable supply-chain metadata. It sits where package management, compliance, SPDX, Kubernetes release engineering, and container provenance meet.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
bom | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/kubernetes-sigs/bom
install metadata
| Package key | brew:bom |
|---|---|
| Version | 0.7.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/bom |
| Homepage | https://kubernetes-sigs.github.io/bom/ |
| Repository | https://github.com/kubernetes-sigs/bom |
| Upstream docs | https://kubernetes-sigs.github.io/bom |
| License | Apache-2.0 |
| Source archive | https://github.com/kubernetes-sigs/bom/archive/refs/tags/v0.7.1.tar.gz |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | bom |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
bom
nix profile install nixpkgs#bombom 1.0.1-1.15
Deals with Unicode byte order marks
https://github.com/archiecobbs/bom
sudo zypper install bommain/bom
scoop install main/bomsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.