sbomqs is the industry-leading tool for evaluating SBOM quality, ensuring compliance, and managing your software supply chain security. From quality scoring to compliance validation, component analysis to vulnerability tracking - sbomqs provides everything you need to work with SBOMs effectively.
"sbomqs is listed as a relevant tool in the SBOM ecosystem" - SBOM Generation White Paper, 2025
# Install via Homebrew
brew tap interlynk-io/interlynk
brew install sbomqs
# Get your first quality score
sbomqs score your-sbom.jsonπ Full Getting Started Guide - Installation for all platforms and basic usage
In today's software landscape, understanding and managing your software supply chain is critical. Whether you're in healthcare dealing with FDA requirements, automotive following NHTSA guidelines, or any regulated industry, sbomqs helps you:
- Instantly assess SBOM quality - Know if your SBOMs meet quality standards
- Ensure compliance - Validate against BSI, NTIA, FSCT, and industry standards
- Find vulnerabilities - Identify components missing security identifiers
- Automate workflows - Integrate into CI/CD pipelines with ease
- Share results - Generate shareable reports and quality scores
β
Multi-Standard Support: SPDX, CycloneDX
β
Compliance Validation: BSI TR-03183-2 (v1.1 & v2.0), FSCT v3, OpenChain Telco, NTIA
β
Quality Scoring: 0-10 scale with detailed breakdowns
β
Component Analysis: List, filter, and analyze SBOM components
β
Integration Ready: Docker, CI/CD, Dependency-Track, GitHub Actions
β
Shareable Reports: Generate public quality score links
β
Air-Gapped Support: Works in isolated environments
π Getting Started - Installation and basic usage
- score - Calculate SBOM quality score
- compliance - Check regulatory compliance
- list - List and filter components
- share - Generate shareable reports
- dtrackScore - Dependency-Track integration
- generate - Generate configuration files
- version - Version information
- Customization - Create custom scoring profiles
- Integrations - CI/CD and tool integrations
- Policy - Policy enforcement and validation
- Quality Checks - All scoring criteria explained
- Compliance Standards - BSI, NTIA, FSCT mappings
# Get a quality score (0-10)
sbomqs score -b my-app.spdx.json
# See detailed breakdown
sbomqs score my-app.spdx.json
# Check specific category
sbomqs score my-app.spdx.json --category NTIA-minimum-elements# BSI TR-03183-2 v2.0
sbomqs compliance --bsi-v2 my-app.spdx.json
# FSCT v3
sbomqs compliance --fsct my-app.spdx.json
# OpenChain Telco
sbomqs compliance --oct my-app.spdx.json# Components without versions
sbomqs list my-app.spdx.json --feature comp_with_version --missing
# Components without suppliers
sbomqs list my-app.spdx.json --feature comp_with_supplier --missing# Generate shareable link (doesn't upload SBOM content)
sbomqs share my-app.spdx.json- Healthcare & Medical Devices: Meet FDA SBOM requirements for medical device submissions
- Automotive: Comply with NHTSA cybersecurity guidelines for vehicle software
- Financial Services: Support DORA and PCI DSS software transparency requirements
- Telecommunications: Ensure critical infrastructure security with OpenChain Telco
- Enterprise Software: Manage supply chain risk with comprehensive quality metrics
Our SBOM Automation Platform has a free community tier that provides a comprehensive solution to manage SBOMs (Software Bill of Materials) effortlessly. From centralized SBOM storage, built-in SBOM editor, vulnerability mapping and assessment, all while ensuring compliance and enhancing software supply chain security using integrated SBOM quality scores. The community tier is ideal for small teams. Learn more here or Sign up
We welcome contributions! Here's how to get started:
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -sam 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Please ensure:
- All commits are signed
- Tests pass (
make test) - Code follows our style guide (
make lint)
sbomqs has gained significant adoption across the industry for SBOM quality assessment and compliance validation:
- Soeiro, L., Robert, T., & Zacchiroli, S. (2025)
Wild SBOMs: a Large-scale Dataset of Software Bills of Materials from Public Code
22nd IEEE/ACM International Conference on Mining Software Repositories (MSR 2025)
DOI: arXiv:2503.15021
Usage: Uses sbomqs to compute quality scores for over 78,000 SBOMs in their large-scale dataset from 94 million GitHub repositories. - Novikov, O., Fucci, D., Adamov, O., & Mendez, D. (2025) POLICY-DRIVEN SOFTWARE BILL OF MATERIALS ON GITHUB: AN EMPIRICAL STUDY arXiv preprint DOI: arXiv:2509.01255 Usage: Uses sbomqs to assess the quality of 620 policy-driven SBOMs found on GitHub, calculating a quality score based on structural and semantic completeness.
-
SBOM Generation White Paper (2025)
SBOM Community, February 2025
Citation: Lists sbomqs as a "relevant tool in the SBOM ecosystem" and highlights it as demonstrating best practices in SBOM quality assessment. -
OpenChain Telco SBOM Guide v1.1 (2025)
OpenChain Project
URL: OpenChain Project
Usage: References sbomqs as a recommended tool for telecommunications operators managing complex software supply chains, particularly for its ability to validate SBOMs across multiple formats.
- Company: Harness Inc.
- Usage: Uses sbomqs as the engine powering their SBOM quality scoring feature
- Features: Provides quality scores from 1-10 for generated SBOMs with SBOM drift detection capabilities
- Reference: Harness Developer Hub
- Blog Post: Level Up your Zero-day Vulnerability Remediation and SBOM Quality (May 2025)
- Platform: sbom.sh
- Usage: Uses the sbomqs engine to evaluate and score uploaded SBOMs
- Features: Automatically generates a quality score (1β10) based on metadata completeness, component coverage, and spec compliance (SPDX/CycloneDX), displaying results directly in the web interface
- Platform: sbombenchmark.dev
- Usage: Uses the sbomqs engine for scoring CycloneDX and SPDX SBOMs
- Features: Provides shareable quality reports without requiring SBOM uploads
- Company: Interlynk Inc.
- Milestone: Reached 100 customers on community tier, including four Fortune 500 companies
- Integration: sbomqs integrated for SBOM quality assessment across the platform
- GitHub Actions via Docker (
ghcr.io/interlynk-io/sbomqs) - Homebrew (
brew install sbomqs) - Go modules (
go install) - Docker Hub & GitHub Container Registry
- Uniget tools repository
Trusted for validating compliance with:
- NTIA Minimum Elements
- BSI TR-03183-2 (v1.1 & v2.0)
- OpenChain Telco (OCT)
- Framing Software Component Transparency (FSCT v3)
Interlynk provides a comprehensive suite of SBOM tools:
- SBOM Assembler - Complete SBOM toolkit (Merging/Enriching/Signing and Editing)
- SBOM Explorer - Search and download from public repositories
- SBOM Search Tool - Context-aware repository search
- SBOM Seamless Transfer - Transfer between systems
- SBOM Benchmark - Repository of SBOM quality scores
- sbomqs and SBOM Policies
- sbomqs scoring support for BSI-1.1 and BSI-2.0
- Whatβs Missing in Your SBOM
- β Community Slack
- π¬ Live Chat
- π§ Email
- π GitHub Issues
- π¦ Follow us on X
If sbomqs helps you improve your SBOM quality and compliance, please β this repository!
sbomqs - Building trust in software supply chains, one SBOM at a time.
Made with β€οΈ by Interlynk.io
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
