Automic VaultAutomic Vault

brew

Install bomber with Homebrew, apt, dnf, MacPorts, pacman, winget, zypper

Scans Software Bill of Materials for security vulnerabilities. Version 0.5.1 via Homebrew; verified 2026-06-15.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install bomber

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install bomber

MacPorts ports tree · kde/bomber/Portfile · source: api.github.com

Linux

Debian aptverified · 92%
sudo apt install bomber

Debian stable package indexes · bomber · source: deb.debian.org

Fedora dnfverified · 92%
sudo dnf install bomber

Fedora Rawhide package metadata · bomber · source: dl.fedoraproject.org

Arch Linux pacmanverified · 92%
sudo pacman -S bomber

Arch Linux sync databases · bomber · source: geo.mirror.pkgbuild.com

openSUSE zypperverified · 92%
sudo zypper install bomber

openSUSE Tumbleweed package metadata · bomber · source: download.opensuse.org

Windows

Windows Package Managerverified · 92%
winget install --id KDE.Bomber -e

Windows Package Manager source index · KDE.Bomber · source: cdn.winget.microsoft.com

overview

Package summary

Scans Software Bill of Materials for security vulnerabilities

Commands and aliases

  • bomber

history

Project history and usage

bomber is a DevSecOps command-line scanner for Software Bill of Materials files. It reads CycloneDX, SPDX, and Syft SBOMs and checks listed components against vulnerability providers.

Project history

The Git repository begins in July 2022, with the first tagged public release following in August 2022. The README describes the project as a response to a practical SBOM question: after receiving a vendor SBOM for closed-source software, users need a fast way to identify component vulnerabilities and license risk.

The project evolved through v0.3 and v0.4 releases in 2022 and 2023, then v0.5 in 2024. Its README labels the project beta while documenting a broad feature set around providers, output formats, ignore lists, severity filtering, data enrichment, and CI-friendly stdin scanning.

Adoption history

bomber belongs to the post-SBOM-surge security tooling ecosystem. The input package metadata lists Homebrew plus Linux distribution packages, MacPorts, Pacman, Ubuntu, and zypper, reflecting adoption as a portable security CLI rather than a library embedded in applications.

How it is used

Typical use is `bomber scan` against one SBOM file or a directory of SBOMs. The README documents OSV as the default no-credential provider, with optional GitHub Advisory Database, Sonatype OSS Index, and Snyk providers, plus stdout, HTML, JSON, and Markdown output modes.

Why package nerds care

bomber is package-nerd relevant because it treats package metadata itself as the object of security analysis. It sits downstream of SBOM generators such as Syft and normalizes vulnerability lookup across package ecosystems and advisory providers.

Timeline

  • 2022-07-08: Initial repository commit.
  • 2022-08-22: v0.1.0 tag and initial public version.
  • 2022-09-19: v0.3.0 tag appears during rapid early development.
  • 2023-12-13: v0.4.8 tag appears.
  • 2024-08-15: v0.5.0 tag appears.
  • 2024-09-23: v0.5.1 tag appears.

Related projects

  • CycloneDX, SPDX, and Syft are documented input SBOM formats.
  • OSV, GitHub Advisory Database, Sonatype OSS Index, and Snyk are documented vulnerability providers.
  • Syft is a common companion tool because it can generate an SBOM and pipe it directly into bomber.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
bombercliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.5.1
manager updated2026-06-15
local dataok
upstreamcurrent
latest detectedv0.5.1

https://github.com/devops-kung-fu/bomber

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:bomber
Version0.5.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/bomber
Homepagehttps://devops-kung-fu.github.io/bomber/
Repositoryhttps://github.com/devops-kung-fu/bomber
Upstream docshttps://devops-kung-fu.github.io/bomber
LicenseMPL-2.0
Source archivehttps://github.com/devops-kung-fu/bomber/archive/refs/tags/v0.5.1.tar.gz
Last updated2026-06-15T10:20:11-04:00
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namebomber
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

bomber 4:25.04.0-1

arcade spaceship game

https://apps.kde.org/bomber/

sudo apt install bomber
  • Section: games
  • Architecture: amd64
  • 16 dependencies
  • 1 optional deps
  • normalized package name match
  • Matched by: Bomber
Debian stable package indexes · deb.debian.org · Debian stable package indexes: bomber from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Ubuntu apt95%

bomber 4:23.08.5-0ubuntu3

arcade spaceship game

http://games.kde.org/

sudo apt install bomber
  • Section: universe/games
  • Architecture: amd64
  • 16 dependencies
  • 1 optional deps
  • normalized package name match
  • Matched by: Bomber
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: bomber from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
dnf95%

bomber 26.04.2-1.fc45

Arcade bombing game

https://invent.kde.org/games/bomber

sudo dnf install bomber
  • License: LGPL-2.0-or-later AND GFDL-1.2-or-later
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: bomber
  • 17 dependencies
  • 3 provides
  • normalized package name match
  • Matched by: Bomber
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: bomber from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
pacman95%

bomber 26.04.2-1

A single player arcade game

https://apps.kde.org/bomber/

sudo pacman -S bomber
  • License: GPL-2.0-or-later AND LGPL-2.0-or-later
  • Architecture: x86_64
  • 13 dependencies
  • normalized package name match
  • Matched by: Bomber
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: bomber from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

bomber 26.04.2-1.1

Game involving the invasion of cities with a plane

https://apps.kde.org/bomber

sudo zypper install bomber
  • License: GPL-2.0-or-later
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: bomber
  • 16 dependencies
  • 4 provides
  • normalized package name match
  • Matched by: Bomber
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: bomber from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

bomber-lang 26.04.2-1.1

Translations for package bomber

https://apps.kde.org/bomber

sudo zypper install bomber-lang
  • License: GPL-2.0-or-later
  • Category: System/Localization
  • Architecture: noarch
  • Source Package: bomber
  • 1 dependencies
  • 3 provides
  • normalized package name match
  • Matched by: Bomber
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: bomber-lang from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

bomber

sudo port install bomber
  • normalized package name match
  • Matched by: Bomber
MacPorts ports tree · api.github.com · MacPorts ports tree: kde/bomber/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
winget95%

KDE.Bomber

winget install --id KDE.Bomber -e
  • normalized package name match
  • Matched by: Bomber
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: KDE.Bomber from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment