Bomly is now open source
A free, open-source CLI for understanding the dependencies in your projects — what you ship, what's risky, and why.
Bomly is a command-line tool for understanding the dependencies in your projects: what you actually ship, which packages carry known advisories, where licenses need attention, and how your dependency graph changes from one commit to the next. It's free, Apache 2.0 licensed, and open source.
📦 Scan anything, in any language
Point Bomly at a source tree and it discovers your projects automatically — no configuration required. It detects package manifests across 30+ ecosystems including npm, Go modules, PyPI, Maven, Cargo, RubyGems, NuGet, Composer, and more. It reads lockfiles where they exist and falls back to manifests when they don't.
bomly scan
The same command works on SBOMs you've already generated (SPDX and CycloneDX) and on container images — local or remote. Point it at a Docker image and it finds the packages inside.
bomly scan --image ghcr.io/your-org/your-app:latest
🔍 Vulnerability and advisory enrichment
By default Bomly works entirely from your local manifests. When you want advisory and license data, opt in with --enrich:
bomly scan --enrich
This queries public advisory databases and license registries and attaches the results to each package: CVE IDs, GHSA advisories, severity scores, fix versions, and license identifiers — enough to make an informed decision about every finding.
Under the hood, --enrich runs multiple matchers in parallel: Grype for vulnerabilities, deps.dev and ClearlyDefined for licenses, OpenSSF Scorecard for supply-chain posture, and endoflife.date for lifecycle status. Every output derives from the same resolved graph.
🚨 Audit findings and CI gating
--audit turns enrichment data into structured findings with a pass/fail verdict. --fail-on is repeatable, so you can layer constraints — here failing only on findings that are both high severity and confirmed reachable by your code:
bomly scan --enrich --audit --analyze --fail-on high --fail-on reachable
This is how you add a security gate to CI: one command, one exit code.
📄 Output formats for every workflow
Bomly speaks the formats your toolchain already understands. Use --json as a shortcut for structured output, combine multiple outputs in a single pass, or target both SBOM formats at once:
# Stream structured JSON to stdout
bomly scan --enrich --json
# Write text to stdout; also save markdown and SARIF
bomly scan --enrich --audit \
-o markdown=summary.md \
-o sarif=bomly.sarif
# Produce both SBOM formats in one scan
bomly scan \
-o spdx=sbom.spdx.json \
-o cyclonedx=sbom.cdx.json
Detector and matcher work runs once — all outputs derive from the same in-memory graph. Available formats: text, json, markdown, sarif, spdx, cyclonedx.
🖥️ Walk the dependency graph interactively
Sometimes you want to explore rather than report. --interactive opens a full terminal UI that lets you walk the dependency graph by hand: fuzzy-find a package, see every path that brought it into your build, pivot to a finding, and read the full advisory — without writing anything to disk.
bomly scan --enrich --audit --interactive
The overview dashboard shows components, vulnerability severity, license distribution, relationship depth, and scope — all without leaving the terminal.
🔎 Explain any package
bomly explain gives you a deep-dive on a single package: every dependency path that brought it into the graph, its license, any advisories, and where it sits in the ecosystem.
bomly explain lodash --enrich
It works whether or not you ran a scan first — point it at any package name and it resolves the context from your current project.
↔️ Track what changes between commits
bomly diff compares two dependency snapshots and reports only what changed: new packages, removed packages, version bumps, and any advisories or license issues introduced by those changes:
bomly diff --base main --head feature/new-auth --enrich --audit
Findings are classified as introduced, resolved, or persisted. --fail-on only matches against the introduced set, so a clean PR passes even when the repo has pre-existing debt. This is the foundation that Bomly Guard is built on.
🛡️ Gate pull requests with Bomly Guard
Bomly Guard is the official GitHub Action that wraps bomly diff and runs it on every pull request. It compares the PR head against its merge base, posts a summary comment, uploads findings to the Security tab as SARIF annotations, and fails the required check when policy isn't met.
- uses: bomly-dev/bomly-guard@v1
with:
fail-on: high
comment-summary-in-pr: on-failure
The policy you set locally with --fail-on is exactly the policy Guard enforces on PRs — no separate configuration to keep in sync.
🤖 AI agents can query your dependencies directly
Bomly runs an MCP server that AI coding agents can connect to and call as a tool:
bomly mcp serve
With this running, tools like Claude can ask questions about your dependency graph — what packages are present, whether any carry known issues, what licenses are in scope — without you having to copy-paste output or write a script. It's the same data the CLI surfaces, made available as structured tool calls your agent can invoke mid-conversation.
🔌 Extend with plugins
Bomly's plugin system lets you add new detectors, matchers, and auditors without rebuilding the binary. Plugins are Go binaries using the public sdk package, distributed and installed through Bomly's plugin manager:
bomly plugin install github.com/your-org/your-plugin@latest
bomly plugin enable your-plugin
This means you can teach Bomly to detect a custom internal manifest format, enrich packages from a private advisory feed, or implement org-specific policy checks — and share those plugins across teams without touching the core.
🔭 What's coming
A few capabilities already in active development:
Reachability analysis. bomly scan --analyze annotates each advisory with whether your application code actually reaches the vulnerable code. For Go, analysis runs at symbol level using govulncheck — it traces the exact call graph from your code to the vulnerable function. For JavaScript, Python, and Java, analysis currently runs at package level, which is useful for filtering out dev-only and transitive-but-unused dependencies. Ecosystem coverage is expanding.
SBOM attestations. Signing and attesting SBOMs as build provenance artifacts, so downstream consumers can verify that the SBOM was produced from a known build and hasn't been tampered with.
Get started
go install github.com/bomly-dev/bomly-cli/cmd/bomly@latest
bomly scan
The getting-started guide walks from install to your first enriched scan in a few minutes. Everything is in the open on GitHub — issues, feature requests, and contributions are welcome.