macOS
brew install bomberlocal Homebrew formula metadata
sudo port install bomberMacPorts ports tree · kde/bomber/Portfile · source: api.github.com
brew
Scans Software Bill of Materials for security vulnerabilities. Version 0.5.1 via Homebrew; verified 2026-06-15.
install
brew install bomberlocal Homebrew formula metadata
sudo port install bomberMacPorts ports tree · kde/bomber/Portfile · source: api.github.com
sudo apt install bomberDebian stable package indexes · bomber · source: deb.debian.org
sudo dnf install bomberFedora Rawhide package metadata · bomber · source: dl.fedoraproject.org
sudo pacman -S bomberArch Linux sync databases · bomber · source: geo.mirror.pkgbuild.com
sudo zypper install bomberopenSUSE Tumbleweed package metadata · bomber · source: download.opensuse.org
winget install --id KDE.Bomber -eWindows Package Manager source index · KDE.Bomber · source: cdn.winget.microsoft.com
overview
Scans Software Bill of Materials for security vulnerabilities
history
bomber is a DevSecOps command-line scanner for Software Bill of Materials files. It reads CycloneDX, SPDX, and Syft SBOMs and checks listed components against vulnerability providers.
The Git repository begins in July 2022, with the first tagged public release following in August 2022. The README describes the project as a response to a practical SBOM question: after receiving a vendor SBOM for closed-source software, users need a fast way to identify component vulnerabilities and license risk.
The project evolved through v0.3 and v0.4 releases in 2022 and 2023, then v0.5 in 2024. Its README labels the project beta while documenting a broad feature set around providers, output formats, ignore lists, severity filtering, data enrichment, and CI-friendly stdin scanning.
bomber belongs to the post-SBOM-surge security tooling ecosystem. The input package metadata lists Homebrew plus Linux distribution packages, MacPorts, Pacman, Ubuntu, and zypper, reflecting adoption as a portable security CLI rather than a library embedded in applications.
Typical use is `bomber scan` against one SBOM file or a directory of SBOMs. The README documents OSV as the default no-credential provider, with optional GitHub Advisory Database, Sonatype OSS Index, and Snyk providers, plus stdout, HTML, JSON, and Markdown output modes.
bomber is package-nerd relevant because it treats package metadata itself as the object of security analysis. It sits downstream of SBOM generators such as Syft and normalizes vulnerability lookup across package ecosystems and advisory providers.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
bomber | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/devops-kung-fu/bomber
install metadata
| Package key | brew:bomber |
|---|---|
| Version | 0.5.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/bomber |
| Homepage | https://devops-kung-fu.github.io/bomber/ |
| Repository | https://github.com/devops-kung-fu/bomber |
| Upstream docs | https://devops-kung-fu.github.io/bomber |
| License | MPL-2.0 |
| Source archive | https://github.com/devops-kung-fu/bomber/archive/refs/tags/v0.5.1.tar.gz |
| Last updated | 2026-06-15T10:20:11-04:00 |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | bomber |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
bomber 4:25.04.0-1
arcade spaceship game
sudo apt install bomberbomber 4:23.08.5-0ubuntu3
arcade spaceship game
sudo apt install bomberbomber 26.04.2-1.fc45
Arcade bombing game
https://invent.kde.org/games/bomber
sudo dnf install bomberbomber 26.04.2-1
A single player arcade game
sudo pacman -S bomberbomber 26.04.2-1.1
Game involving the invasion of cities with a plane
sudo zypper install bomberbomber-lang 26.04.2-1.1
Translations for package bomber
sudo zypper install bomber-langbomber
sudo port install bomberKDE.Bomber
winget install --id KDE.Bomber -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.