Automic VaultAutomic Vault

brew

Install bom with Homebrew, Nix, scoop, zypper

Utility to generate SPDX-compliant Bill of Materials manifests. Version 0.7.1 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install bom

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#bom

nixpkgs package indexes · pkgs/by-name/bo/bom/package.nix · source: api.github.com

openSUSE zypperverified · 92%
sudo zypper install bom

openSUSE Tumbleweed package metadata · bom · source: download.opensuse.org

Windows

Scoopverified · 92%
scoop install main/bom

Scoop official bucket manifest trees · bucket/bom.json · source: api.github.com

overview

Package summary

Utility to generate SPDX-compliant Bill of Materials manifests

Commands and aliases

  • bom

history

Project history and usage

bom is the Kubernetes SIGs SBOM multitool for creating, viewing, and transforming Software Bills of Materials, especially SPDX documents.

Project history

The official README says bom was created as part of the effort to create an SBOM for the Kubernetes project. It later became a general-purpose CLI that can generate SPDX packages from directories, container images, single files, archives, and other sources.

The project is associated with the Linux Foundation's Automating Compliance Tooling Technical Advisory Council, placing it in the supply-chain compliance tooling ecosystem rather than only in Kubernetes internals.

Adoption history

bom's adoption follows the post-SolarWinds supply-chain tooling wave: SBOMs became expected release artifacts, and Kubernetes needed tooling that could fit CI, container images, Go dependency analysis, SPDX output, and in-toto provenance workflows. The input package facts list Homebrew, Nix, Scoop, and zypper packaging.

How it is used

Common usage is `bom generate` against a directory, file list, archive, or image, then `bom document` to inspect or query the resulting SPDX document. The README also documents license classification, `.gitignore` support, Go dependency analysis, and provenance export.

Why package nerds care

bom is package-nerd significant because it is tooling about packages themselves: it turns source trees, images, and dependencies into machine-readable supply-chain metadata. It sits where package management, compliance, SPDX, Kubernetes release engineering, and container provenance meet.

Timeline

  • 2021: bom appears in Kubernetes SIG tooling around the Kubernetes SBOM effort.
  • 2020s: bom grows into a general-purpose SPDX SBOM generator for files, directories, archives, container images, and Go dependencies.
  • 2020s: The project is incubated under the Linux Foundation Automating Compliance Tooling TAC.

Related projects

  • Related projects include Kubernetes, SPDX, in-toto, Syft, CycloneDX tooling, cosign, and other software supply-chain inventory tools.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
bomcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.7.1
manager updated
local dataok
upstreamcurrent
latest detectedv0.7.1

https://github.com/kubernetes-sigs/bom

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:bom
Version0.7.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/bom
Homepagehttps://kubernetes-sigs.github.io/bom/
Repositoryhttps://github.com/kubernetes-sigs/bom
Upstream docshttps://kubernetes-sigs.github.io/bom
LicenseApache-2.0
Source archivehttps://github.com/kubernetes-sigs/bom/archive/refs/tags/v0.7.1.tar.gz
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namebom
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

bom

nix profile install nixpkgs#bom
  • normalized package name match
  • Matched by: Bom
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/bo/bom/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
zypper95%

bom 1.0.1-1.15

Deals with Unicode byte order marks

https://github.com/archiecobbs/bom

sudo zypper install bom
  • License: Apache-2.0
  • Category: Productivity/File utilities
  • Architecture: x86_64
  • Source Package: bom
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Bom
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: bom from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
Scoop95%

main/bom

scoop install main/bom
  • normalized package name match
  • Matched by: Bom
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/bom.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment