Bomly CLIAnalyze Your Software DNA.
Bomly is a free, open-source CLI that scans your projects, SBOMs, and container images, explains where each dependency came from, and surfaces vulnerability and license data when you ask for it.
$ bomly scan --interactive Packages Detail ───────────────────── ────────────────────────────────── react 19.0.0 lodash.template@4.5.0 next 16.0.10 ecosystem npm› lodash.template 4.5.0 scope runtime follow-redirects 1.15.5 license MIT ws 8.13.0 direct no semver 7.5.4 path: web → @company/ui-kit tailwindcss 4.1.9 → react-table @bomly/sdk 1.4.0 → lodash.template CVE-2024-21501 HIGH prototype pollution [/] filter [↵] open [esc] back [q] quit30+
ecosystems supported — native parsers for the most common, plus Syft for the long tail
6
ways to consume output — text, JSON, SARIF, SPDX, CycloneDX, interactive TUI
MCP
ready for AI agents (Claude, Cursor, custom)
Apache 2.0
free, open source, no telemetry
What is Bomly
A Software Bill of Materials, on demand.
A Software Bill of Materials is a complete list of the packages your software depends on. Bomly builds one for any project — by reading manifests, lock files, container layers, or existing SBOMs — and tells you what those packages mean: where they came from, what license they ship under, and which ones have known vulnerabilities.
It is a single binary. Run it on your laptop, in CI, or as an MCP tool for an AI agent. There is nothing to host.
Source trees
manifests, lock files
Container images
OCI / Docker
Git refs
branch, tag, or commit
SBOMs
SPDX or CycloneDX
Commands
Three commands. Real answers.
Bomly gives you exactly the verbs a dependency conversation needs — scan, explain, diff — and the same answers from every input shape.
Everything you need to take dependencies seriously
One CLI for scanning, SBOM generation, enrichment, explanation, and diffing — across every major ecosystem developers ship today.
Scan anywhere
Source trees, container images, Git refs, or existing SBOMs. One command, four input shapes.
Native detectors, full graph
Native parsers for the ecosystems developers ship most — Go, npm/pnpm/yarn, Maven, Gradle, Python (pip, Pipenv, Poetry, uv), Ruby, PHP, NuGet, Cargo, and more — resolve transitive relationships and tag each package with its scope (runtime vs. dev/test). Syft fills in the long tail.
SBOMs in one run
Produce SPDX 2.3 and CycloneDX 1.6 JSON side by side with one `-o` flag per format.
Vulnerability data on demand
Enrich with OSV, CISA KEV, deps.dev, ClearlyDefined, and endoflife.date via --enrich. No outbound calls without it.
SARIF for CI
Emit SARIF 2.1.0 so vulnerability findings show up natively in GitHub, GitLab, and Azure DevOps. Stable exit codes (0 / 2 / 4) let scripts branch on outcome.
Reachability
beta--reachability narrows findings to advisories your app actually calls. Tier-1 (govulncheck) for Go; Tier-3 import-graph closure for npm, Python, and JVM. Read the docs before gating CI on it.
Extensible by design
Detectors, matchers, and auditors all speak the same gRPC contract Bomly uses internally. Ship your own as a separate binary — see Plugins.
Built for AI agents, too.
Run bomly mcp serve and any MCP-aware agent — Claude Code, Cursor, your own — can call bomly_scan, bomly_explain, and bomly_diff as tools. Every CLI flag is exposed. The agent gets the same answers you would, in JSON it can reason over.
- Three tools, structured output. Agents call
bomly_scan,bomly_explain, andbomly_diff; results come back as JSON that's easy to summarize and reason about. - Stdio MCP, no daemon. Your agent launches Bomly per task. No long-running server, no service to operate.
- Flag parity with the CLI. Anything you can pass on the command line — scope filters, output formats, audit policy — is reachable from the agent.
$ bomly mcp serveStarting Bomly MCP server (stdio) ...Registered tools: bomly_scan Scan a path, image, Git URL, or SBOM. bomly_explain Show the dependency path for a package. bomly_diff Compare dependency state across refs or SBOMs. bomly_vuln_fix_context Get fix context for a vulnerability. bomly_plugins List registered Bomly plugins.Awaiting client on stdio ...> Why is lodash in our web bundle?tool: bomly.explain { "target": "./web", "package": "lodash" }{ "ecosystem": "npm", "package": "lodash@4.17.21", "introducedBy": [ "web → frontend@1.2.0", " → ui-kit@3.4.1", " → lodash.template@4.5.0", " → lodash@4.17.21" ], "directDependency": false}Lodash is pulled in transitively through ui-kit'suse of lodash.template. It is not a direct dep.Built to be extended.
Every stage of the Bomly pipeline — detection, enrichment, audit — is a contract. Implement it once as a small Go binary, hand it to Bomly over gRPC, and your code runs beside the built-ins with the same access to graphs, packages, and findings.
Detectors
Plug in your own ecosystem reader. If you can express "these files mean these packages," Bomly turns it into a dependency graph the rest of the pipeline understands.
Matchers
Bring an extra signal — internal advisories, license overrides, package provenance — and attach it to packages alongside OSV and KEV data.
Auditors
Turn enriched graphs into findings. Encode your team's policy as a plugin and let `--audit` do the rest.
Trust & security
Built to run in sensitive environments.
Bomly is a security tool. Here is exactly what it does — and does not — do.
Apache 2.0
Free and open source. No proprietary lock-in, no subscription required to run locally or in CI.
No telemetry
Bomly never phones home. There is no usage tracking, no crash reporting, no remote calls at all by default.
Network enrichment is opt-in
Vulnerability and license enrichment runs only when you pass --enrich. Nothing leaves your machine otherwise.
Checksummed releases
Every release ships a SHA256SUMS file so you can pin to a known binary before deploying in CI.
SARIF & CI output
Emit findings as SARIF and gate merges on policy. Works with GitHub Code Scanning and any SARIF-aware CI.
Open-source detectors & matchers
All ecosystem detectors and vulnerability matchers are in the public repo — auditable and extensible.
Opt-in enrichment pulls from OSV, CISA KEV, deps.dev, ClearlyDefined, and endoflife.date — publicly available, open data sources.
Some detectors based on build tools (such as Maven or Gradle) may resolve packages from the relevant package registry as part of constructing the dependency graph. This is inherent to how those build tools work and applies only to projects that use those ecosystems.
Install Bomly in under a minute.
Bomly is one binary. Pick the method that fits your environment and you're ready to run bomly scan.
go install github.com/bomly-dev/bomly-cli/cmd/bomly@latestFull release notes and checksums: github.com/bomly-dev/bomly-cli/releases
Register Bomly as an MCP server in your agent of choice. Here is the snippet for Claude Code's ~/.claude.json:
{
"mcpServers": {
"bomly": {
"command": "bomly",
"args": ["mcp", "serve"]
}
}
}See the Getting started guide for Cursor, VS Code, and custom-agent recipes.
Read about how Bomly works
Each guide explains one piece of the pipeline — what it does, when it runs, and how to configure or extend it.
Getting started
Install Bomly and run your first scan in five minutes.
Read
Scan targets
Source trees, container images, Git refs, and existing SBOMs.
Read
Detectors
How Bomly turns project evidence into a dependency graph, ecosystem by ecosystem.
Read
Matchers
OSV, KEV, deps.dev, ClearlyDefined, endoflife.date — and the cache that backs them.
Read
Auditors
--fail-on grammar, severity precedence, SARIF, exit codes.
Read
CI integration
Drop-in recipes for GitHub Actions, GitLab, Jenkins, Azure DevOps, CircleCI.
Read
SBOM formats
SPDX 2.3 vs. CycloneDX 1.6, ingest, conversion, diffing.
Read
Reachability
betaNarrow findings to advisories your app actually calls. Experimental.
Read
Try Bomly on your project.
One binary, no signup, no telemetry. Install it, run bomly scan, see what you depend on.