# Install bomber with Homebrew, apt, dnf, MacPorts, pacman, winget, zypper

Scans Software Bill of Materials for security vulnerabilities. Version 0.5.1 via Homebrew; verified 2026-06-15.

## Install

```sh
sudo av install brew:bomber
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install bomber
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install bomber
```

  Evidence: MacPorts ports tree: kde/bomber/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- Debian apt (92%):

```sh
sudo apt install bomber
```

  Evidence: Debian stable package indexes: bomber from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install bomber
```

  Evidence: Fedora Rawhide package metadata: bomber from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- pacman (92%):

```sh
sudo pacman -S bomber
```

  Evidence: Arch Linux sync databases: bomber from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install bomber
```

  Evidence: openSUSE Tumbleweed package metadata: bomber from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- winget (92%):

```sh
winget install --id KDE.Bomber -e
```

  Evidence: Windows Package Manager source index: KDE.Bomber from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:bomber
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/bomber>
- **Version:** 0.5.1
- **Source summary:** Scans Software Bill of Materials for security vulnerabilities
- **Homepage:** <https://devops-kung-fu.github.io/bomber/>
- **Repository:** <https://github.com/devops-kung-fu/bomber>
- **Upstream docs:** <https://devops-kung-fu.github.io/bomber>
- **License:** MPL-2.0
- **Source archive:** <https://github.com/devops-kung-fu/bomber/archive/refs/tags/v0.5.1.tar.gz>
- **Last updated:** 2026-06-15T10:20:11-04:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- bomber (cli)
- bomber (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.5.1
- Package-manager updated: 2026-06-15
- Local data: ok
- Upstream repository: https://github.com/devops-kung-fu/bomber
- Upstream latest detected: v0.5.1 (current)
## Project history and usage

bomber is a DevSecOps command-line scanner for Software Bill of Materials files. It reads CycloneDX, SPDX, and Syft SBOMs and checks listed components against vulnerability providers.

### Project history

The Git repository begins in July 2022, with the first tagged public release following in August 2022. The README describes the project as a response to a practical SBOM question: after receiving a vendor SBOM for closed-source software, users need a fast way to identify component vulnerabilities and license risk.

The project evolved through v0.3 and v0.4 releases in 2022 and 2023, then v0.5 in 2024. Its README labels the project beta while documenting a broad feature set around providers, output formats, ignore lists, severity filtering, data enrichment, and CI-friendly stdin scanning.

### Adoption history

bomber belongs to the post-SBOM-surge security tooling ecosystem. The input package metadata lists Homebrew plus Linux distribution packages, MacPorts, Pacman, Ubuntu, and zypper, reflecting adoption as a portable security CLI rather than a library embedded in applications.

### How it is used

Typical use is `bomber scan` against one SBOM file or a directory of SBOMs. The README documents OSV as the default no-credential provider, with optional GitHub Advisory Database, Sonatype OSS Index, and Snyk providers, plus stdout, HTML, JSON, and Markdown output modes.

### Why package nerds care

bomber is package-nerd relevant because it treats package metadata itself as the object of security analysis. It sits downstream of SBOM generators such as Syft and normalizes vulnerability lookup across package ecosystems and advisory providers.

### Timeline

- 2022-07-08: Initial repository commit.
- 2022-08-22: v0.1.0 tag and initial public version.
- 2022-09-19: v0.3.0 tag appears during rapid early development.
- 2023-12-13: v0.4.8 tag appears.
- 2024-08-15: v0.5.0 tag appears.
- 2024-09-23: v0.5.1 tag appears.

### Related projects

- CycloneDX, SPDX, and Syft are documented input SBOM formats.
- OSV, GitHub Advisory Database, Sonatype OSS Index, and Snyk are documented vulnerability providers.
- Syft is a common companion tool because it can generate an SBOM and pipe it directly into bomber.

### Sources

- <https://devops-kung-fu.github.io/bomber>
- <https://github.com/devops-kung-fu/bomber#readme>
- <https://github.com/devops-kung-fu/bomber/releases>
- source_facts.package-manager


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** bomber
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - bomber - 4:25.04.0-1: normalized package name match | Debian stable package indexes: bomber from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | arcade spaceship game | https://apps.kde.org/bomber/
- Ubuntu apt - bomber - 4:23.08.5-0ubuntu3: normalized package name match | Ubuntu 24.04 LTS package indexes: bomber from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | arcade spaceship game | http://games.kde.org/
- dnf - bomber - 26.04.2-1.fc45: normalized package name match | Fedora Rawhide package metadata: bomber from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Arcade bombing game | https://invent.kde.org/games/bomber
- pacman - bomber - 26.04.2-1: normalized package name match | Arch Linux sync databases: bomber from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | A single player arcade game | https://apps.kde.org/bomber/
- zypper - bomber - 26.04.2-1.1: normalized package name match | openSUSE Tumbleweed package metadata: bomber from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Game involving the invasion of cities with a plane | https://apps.kde.org/bomber
- zypper - bomber-lang - 26.04.2-1.1: normalized package name match | openSUSE Tumbleweed package metadata: bomber-lang from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Translations for package bomber | https://apps.kde.org/bomber
- MacPorts - bomber: normalized package name match | MacPorts ports tree: kde/bomber/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- winget - KDE.Bomber: normalized package name match | Windows Package Manager source index: KDE.Bomber from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [grype](https://www.automicvault.com/pkg/brew/grype/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [nuclei](https://www.automicvault.com/pkg/brew/nuclei/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [osv-scanner](https://www.automicvault.com/pkg/brew/osv-scanner/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [terrapin-scanner](https://www.automicvault.com/pkg/brew/terrapin-scanner/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [vuls](https://www.automicvault.com/pkg/brew/vuls/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [clair](https://www.automicvault.com/pkg/brew/clair/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [govulncheck](https://www.automicvault.com/pkg/brew/govulncheck/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [safety](https://www.automicvault.com/pkg/brew/safety/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.

## Combined YAML source

View the package source record on GitHub. [combined/bomber.yml](https://github.com/automic-vault/db/blob/main/combined/bomber.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
