# Install bom with Homebrew, Nix, scoop, zypper

Utility to generate SPDX-compliant Bill of Materials manifests. Version 0.7.1 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:bom
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install bom
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#bom
```

  Evidence: nixpkgs package indexes: pkgs/by-name/bo/bom/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- zypper (92%):

```sh
sudo zypper install bom
```

  Evidence: openSUSE Tumbleweed package metadata: bom from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Scoop (92%):

```sh
scoop install main/bom
```

  Evidence: Scoop official bucket manifest trees: bucket/bom.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:bom
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/bom>
- **Version:** 0.7.1
- **Source summary:** Utility to generate SPDX-compliant Bill of Materials manifests
- **Homepage:** <https://kubernetes-sigs.github.io/bom/>
- **Repository:** <https://github.com/kubernetes-sigs/bom>
- **Upstream docs:** <https://kubernetes-sigs.github.io/bom>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/kubernetes-sigs/bom/archive/refs/tags/v0.7.1.tar.gz>
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- bom (cli)
- bom (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.7.1
- Local data: ok
- Upstream repository: https://github.com/kubernetes-sigs/bom
- Upstream latest detected: v0.7.1 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

bom is the Kubernetes SIGs SBOM multitool for creating, viewing, and transforming Software Bills of Materials, especially SPDX documents.

### Project history

The official README says bom was created as part of the effort to create an SBOM for the Kubernetes project. It later became a general-purpose CLI that can generate SPDX packages from directories, container images, single files, archives, and other sources.

The project is associated with the Linux Foundation's Automating Compliance Tooling Technical Advisory Council, placing it in the supply-chain compliance tooling ecosystem rather than only in Kubernetes internals.

### Adoption history

bom's adoption follows the post-SolarWinds supply-chain tooling wave: SBOMs became expected release artifacts, and Kubernetes needed tooling that could fit CI, container images, Go dependency analysis, SPDX output, and in-toto provenance workflows. The input package facts list Homebrew, Nix, Scoop, and zypper packaging.

### How it is used

Common usage is `bom generate` against a directory, file list, archive, or image, then `bom document` to inspect or query the resulting SPDX document. The README also documents license classification, `.gitignore` support, Go dependency analysis, and provenance export.

### Why package nerds care

bom is package-nerd significant because it is tooling about packages themselves: it turns source trees, images, and dependencies into machine-readable supply-chain metadata. It sits where package management, compliance, SPDX, Kubernetes release engineering, and container provenance meet.

### Timeline

- 2021: bom appears in Kubernetes SIG tooling around the Kubernetes SBOM effort.
- 2020s: bom grows into a general-purpose SPDX SBOM generator for files, directories, archives, container images, and Go dependencies.
- 2020s: The project is incubated under the Linux Foundation Automating Compliance Tooling TAC.

### Related projects

- Related projects include Kubernetes, SPDX, in-toto, Syft, CycloneDX tooling, cosign, and other software supply-chain inventory tools.

### Sources

- <https://github.com/kubernetes-sigs/bom#readme>
- <https://kubernetes-sigs.github.io/bom>
- input.source_facts.package-manager


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** bom
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - bom: normalized package name match | nixpkgs package indexes: pkgs/by-name/bo/bom/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- zypper - bom - 1.0.1-1.15: normalized package name match | openSUSE Tumbleweed package metadata: bom from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Deals with Unicode byte order marks | https://github.com/archiecobbs/bom
- Scoop - main/bom: normalized package name match | Scoop official bucket manifest trees: bucket/bom.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [tern](https://www.automicvault.com/pkg/brew/tern/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain, spdx.
- [cdxgen](https://www.automicvault.com/pkg/brew/cdxgen/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [chainloop-cli](https://www.automicvault.com/pkg/brew/chainloop-cli/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [cyclonedx-gomod](https://www.automicvault.com/pkg/brew/cyclonedx-gomod/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [cyclonedx-python](https://www.automicvault.com/pkg/brew/cyclonedx-python/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [sbom-tool](https://www.automicvault.com/pkg/brew/sbom-tool/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [scorecard](https://www.automicvault.com/pkg/brew/scorecard/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain.
- [syft](https://www.automicvault.com/pkg/brew/syft/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.

## Combined YAML source

View the package source record on GitHub. [combined/bom.yml](https://github.com/automic-vault/db/blob/main/combined/bom.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
